ISO/IEC 27003:2010
(Main)Information technology — Security techniques — Information security management system implementation guidance
Information technology — Security techniques — Information security management system implementation guidance
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.
Technologies de l'information — Techniques de sécurité — Lignes directrices pour la mise en oeuvre du système de management de la sécurité de l'information
Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema upravljanja informacijske varnosti
Ta mednarodni standard se osredotoča na kritične vidike, potrebne za uspešno načrtovanje in izvedbo sistema upravljanja informacijske varnosti (ISMS) v skladu z ISO/IEC 27001:2005. Opisuje postopek specifikacije in načrtovanja ISMS od začetka do izdelave izvedbenih načrtov. Opisuje postopek pridobitve upravljalne odobritve za izvedbo ISMS, opredeljuje projekt izvedbe ISMS (ki se v tem mednarodnem standardu navaja kot projekt ISMS) in podaja navodilo o tem, kako načrtovati projekt ISMS, kateremu sledi končni izvedbeni načrt za projekt ISMS. Ta mednarodni standard uporabljajo organizacije, ki izvajajo ISMS. Velja za vse vrste organizacij (npr. trgovinska podjetja, vladne službe, neprofitne organizacije) vseh velikosti. Kompleksnost in tveganja vsake organizacije so edinstvena, zato bodo njene posebne zahteve spodbudile izvedbo ISMS. Manjše organizacije bodo ugotovile, da so dejavnosti, navedene v tem mednarodnem standardu, uporabne zanje in se lahko poenostavijo. Velike in kompleksne organizacije pa lahko ugotovijo, da je večplastna organiziranost oziroma sistem upravljanja, potreben za vodenje dejavnosti, v tem mednarodnem standardu učinkovit. Vendar se v obeh primerih ustrezne dejavnosti lahko načrtujejo z uporabo tega mednarodnega standarda. Ta mednarodni standard podaja priporočila in razlage; ne določa pa kakršnih koli zahtev. Ta mednarodni standard se uporablja skupaj z ISO/IEC 27001:2005 in ISO/IEC 27002:2005, vendar ni namenjen spreminjanju in/ali zmanjševanju zahtev, opredeljenih v ISO/IEC 27001:2005, ali priporočil, določenih v /IEC 27002:2005. Zahtevati skladnost s tem mednarodnim standardom ni primerno.
General Information
Relations
Buy Standard
Standards Content (Sample)
يس يإ يأ /وزـــيأ ةيلودلا ةيسايقلا ةفصاوملا
٢٧٠٠٣
ةيمسرلا ةمجرتلا
Official translation
Traduction officielle
نع يداشرا ليلد – نيمأتلا تاينقت– تامولعملا ايجولونكت
تامولعملا ايجولونكت نيمات ماظن قيبطت
Information technology — Security techniques — Information security
management system implementation guidance (E)
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information (F)
.( ii ةحفص يف ةمئاقلا رظنا ) ةمجرتلا ةقد تدمتعأ يتلا ISO يف ءاضعأ تائيھ١٠نع ةبانلإاب ةيمسر ةيبرع ةمجرتك ارسيوس ،فينج يف ISO ةيزكرملا ةناملأا يف تعبط
ىعجرملا مقرلا
ISO 27003/2010 (A)
ةيمسرلا ةمجرتلا
©ISO 2010
---------------------- Page: 1 ----------------------
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
(هيونت) ةيلوئسم ءلاخإ
علاطلإا وأ فلملا اذھ ةعابط نكمي هنإف Adobe ـل صيخرتلا ةسايس بجومبو ، ةجمدُم طوطخ ىلع (PDF) فلملا اذھ يوتحي دق
ﱠ - فارطلأا لمحتت و . ليدعتلا هيف متي يذلا بوساحلا يف ةل ﱠمح ُم و ةصخرُمھيف ةجمدُملا طوطخلا نكت مل ام هليدعت متي لاأ ىلع ، هيلع
ةيلوئسم يأ لمحتت لا وزيلآلةماعلا ةيراتركسلا نأنيح يف،Adobe ـل صيخرتلا ةسايسب للاخلإا مدع ةيلوئسم - فلملا اذھ ليزنت دنع
. لاجملا اذھ لايح ةينوناق
. Adobe ـلا مظنل ةدحتملا ةكرشلل ةلجسم ةيراجت ةملاع Adobe ـلا دعت
، (PDF)فلمب ةقلعتملا ةماعلا تامولعملا نم فلملا اذھ ءاشنإ يف ةمدختسملا جماربلاب ةصاخلا ليصافتلا عيمج يلع لوصحلا نكمي
ةمظنملا ءاضعلأ امئلام فلملا اذھ مادختسا نوكي نأ يعوُر ثيح ،(PDF) ءاشنإ يف ةلخادلا تاريغتملا تن ﱢسُح دقف ةعابطلا لجلأو
.هاندأ لجسملا ناونعلا ىلع ةماعلا ةيراتركسلا غلابإ ىجرُي ، فلملا اذھب قلعتت ةلكشم يأ ثودح ةلاح يفو ، سييقتلل ةيلودلا
ةفصاوملا تدمتعأ يتلا ةيبرعلا سييقتلا تاھج
ندرلأا
ةيندرلأا سيياقملاو تافصاوملا ةسسؤم
تاراملإا
سيياقملاو تافصاوملل تاراملإا ةئيھ
رئازجلا
سييقتلل يرئازجلا دھعملا
ةيدوعسلا
سيياقملاو تافصاوملل ةيدوعسلا ةئيھلا
قارعلا
ةيعونلا ةرطيسلاو سييقتلل يزكرملا زاھجلا
تيوكلا
ةعانصلل ةماعلا ةئيھلا
نادوسلا
سيياقملاو تافصاوملل ةينادوسلا ةئيھلا
نميلا
ةدوجلا طبضو سيياقملاو تافصاوملل ةينميلا ةئيھلا
سنوت
ةيعانصلا ةيكلملاو تافصاوملل ىنطولا دھعملا
ايروس
ةيروسلا ةيبرعلا سيياقملاو تافصاوملا ةئيھ
ايبيل
ةيسايقلا ريياعملاو تافصاوملل ىنطولا زكرملا
رصم
ةدوجلاو تافصاوملل ةماعلا ةيرصملا ةئيھلا
رشنلاو عبطلا قوقح ةيامح ةقيثو
©٢٠١٠ وزيأ
ةليسو يأب وأ لكش يأب همادختسا وأ رادصلإا اذھ نم ءزج يأ جاتنإ ةداعإ زوجي لا ،كلذ فلاخ دري كل امو .ةظوفحم قوقحلا عيمج
دحا وأ هاندأ ناونعلا ىلع سييقتلل ةيلودلا ةمظنملا نم امإ يطخ نذإ نود ةقيقدلا ملافلأاو خسنلا كلذ يف امب ةيكيناكيم وأ ةينورتكلا
.ةبلاطلا ةھجلا ةلود يف سييقتلل ةيلودلا ةمظنملا يف ءاضعلأا تائيھلا
سييقتلل ةيلودلا ةمظنملا ةيكلم قوقح بتكم
٢٠ فينج Ch-1211 * ٥٦ :يديربلا زمرلا
٠٠٤١٢٢٧٤٩٠١١١ :فتاھ
٠٠٤١٢٢٧٤٩٠٩٤٧ :سكاف
copyright@iso.org :ينورتكلا ديرب
www.iso.org :ينورتكللاا عقوملا
٢٠١٦ يف ةيبرعلا ةخسنلارشن مت
ارسيوس يف رشنلا مت
ii © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 2 ----------------------
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
ةحفصلا تايوتحملا
iv.ديھمت
v.ةمدقم
١. لاجملا ١
١. ةلمكملا عجارملا ٢
١. فيراعتلاو تاحلطصملا ٣
١ .ةيلودلا ةفصاوملا هذھ لكيھ ٤
١.ةفصاوملا هذھ دونبل ماعلا لكيھلا ١/٤
٣.ةفصاوملا دونب نم دنبل ماعلا لكيھلا ٢/٤
٤.( ةيطيطختلا) ةينايبلا تاموسرلا ٣/٤
٥. تامولعملا نيمأت ةرادإ ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا -٥
٥.ISMS ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا نع ةماع ةرظن١/٥
٩.تامولعملا نيمأت ةرادإ ماظن ءاشنلا ةأشنملا تايولوأ حاضيإ ٢/٥
١١. تامولعملا نيمأت ةرادإ ماظنل ىئدبملا لاجملا ديدحت ٣/٥
١٣. ةرادلإا ةقفاوم ىلع لوصحلل عورشملا ةطخو لامعلأا ةلاح ةسارد ءاشنإ ٤/٥
١٥. تامولعملا نيمأت ةرادإ ماظن ةسايسو دودحو لاجم فيرعت -٦
١٥.تامولعملا نيمأت ةرادإ ماظن ةسايسو ماظن دودحو لاجم فيرعت ىلع ةماع ةرظن ١/٦
١٨.ة يميظنتلا دودحلاو لاجملا ديدحت ٢/٦
١٩. (ICT) تلااصتلااو تامولعملا ايجولونكت دودحو لاجم فيرعت ٣/٦
٢٠.ةيداملا رصانعلا دودحو لاجم فيرعت ٤/٦
٢١.تامولعملا نيمأت ةرادإ ماظنل ةيلك دودحو ىلك لاجم ىلع لوصحلل دودحلا و تلااجملا لك جمد ٥/٦
٢٢. ةرادلإا دامتعا ىلع لوصحلاو تامولعملا نيمأت ةرادإ ماظن ةسايس ريوطت ٦/٦
٢١.تامولعملا نيمأت تابلطتم لليلحت ءارجإ -٧
٢١.تامولعملا نيمأت تابلطتمل ليلحت ءارجإىلع ةماع ةرظن ١/٧
٢٤. تامولعملا نيمأت ماظن ةيلمعل تامولعملا نيمأت تابلطتم فيرعت ٢/٧
٢٥.ISMS ماظن لاجم يف ةنمضتملا لوصلأا ديدحت ٣/٧
٢٦. تامولعملا نيمأتل مييقت ءارجإ ٤/٧
٢٧.اھتجلاعمل طيطختلاورطاخملا تاريدقت ءارجإ -٨
٢٧. اھتجلاعمل طيطختلاو رطاخملا تاريدقت ءارجإ ىلع ةماع ةرظن ١-٨
٢٩.رطاخملا مييقت ءارجإ ٢/٨
٣٢.طباوضلا رايتخاو طبضلا فادھأ رايتخا ٣/٨
٣٣.تامولعملا نيمأت ةرادإ ماظن ليغشتو ذيفنتل ةرادلإا ضيوفت ىلع لوصحلا ٤/٨
٣٤. تامولعملا ايجولونكت نيمأت ماظن ميمصت -٩
٣٤.تامولعملا نيمأت ةرادإ ماظن ميمصت ىلع ةماع ةرظن ١/٩
٣٤. ( ةأشنملا ىوتسم ىلع) ىميظنتلا تامولعملا نيمأت ميمصت ٢/٩
٤٢. يداملا تامولعملا نيمأتو تلااصتلااو تامولعملا ايجولونكت ميمصت ٣/٩
٤٣. تامولعملا نيمأتب صاخ تامولعم نيمأت ةرادإ ماظن ميمصت ٤/٩
٤٥. يئاھنلا تامولعملا ايجولونكت نيمأت ماظن عورشم ةطخ رادصا ٥/٩
٤٥.ققحتلا ةمئاق فصو (يتامولعم) أ قحلم
٤٨.تامولعملا نمأ تايلوؤسموراودأ (يتامولعم) ب قحلم
٥٢.ةيلخادلا ةعجارملا لوح تامولعم (يملاعإ) ج قحلم
٥٤.تاسايسلا لكيھ (يملاعإ) د قحلملا
٥٨.سايقلاو ةبقارملا (يملاعا) ـھ قحلم
iii © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 3 ----------------------
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
ديھمت
يف يسايقلا ديحوتلل صصختم ماظن (IEC) ةينقتورھكلا ةيلودلا ةنجللاو (ISO) سييقتلل ةيلودلا ةمظنملا لكشت
تافصاوملادادعا ةيلمع يف IEC وأISO نيتمظنملا يف ءاضعلأا ةينطولا تائيھلا كراشتو.ملاعلا ءاحنأ عيمج
نواعتتو. ينفلا طاشنلا نم ةنيعم تلااجم عم لماعتلل ةينعملا ةمظنملا اھأشنت يتلا ةينفلا ناجللا للاخ نم ةيلودلا
تامظنملا لمعلا يف كراشي امك.كرتشملا مامتھلاا تاذ تلااجملا يف IEC و ISOنم لكل ةعباتلا ةينفلا ناجللا
دقف تامولعملا ايجولونكت لاجم يف .ISO , IEC. يتمظنمب ةلصلا تاذ ،ةيموكحلاريغواھنم ةيموكحلا ةيلودلا
.ISO\IEC JTC1. ةكرتشم ةينفةنجل ءاشنإبISO , IEC يتمظنم تماق
ءزجلا ،ISO / IECنم لاك نع ةرداصلا تاھيجوتلا يف ةدراولا حئاولل اقفو ةيلودلا تافصاوملا تغيص دقو
.يناثلا
ةطساوب هانبتملا ةيلودلا تافصاوملا عيراشم .ةيلودلا تافصاوملا دادعا يھ ةكرتشملا ةينفلا ةنجلل ةيساسلأا ةمھملا
تافصاومك عيراشملا هذھ رادصا بلطتي و .تيوصتلل ةينطولا تائيھلاٮلع اھعيزوت متي ةكرتشملا ةينفلا ةنجللا
.تيوصتلا اھل قحي يتلا ةينطولا تائيھلا نم لقلأا ىلع %٧٥ ةقفاوم ةيلود
ﻝـﻣﺣﺗﺗ نـﻟ و.عارـﺗﺧﻻا ةءارـﺑ قوـﻘﺣﻟ ﺔﻌـﺿﺎﺧ ﺔـﻘﻳﺛوﻟا ﻩذـﻫ رـﺻﺎﻧﻋ ضﻌﺑﻧوـﻛﺗ نأ ﺔـﻳﻟﺎﻣﺗﺣا ﻰـﻟإ ﻩﺎـﺑﺗﻧﻻا تﻔﻟ دوﻧ و
. ﺎﻬﻌﻳﻣﺟ وأ قوﻘﺣﻟا ﻩذﻫ نﻣﺎ ﻳأ دﻳدﺣﺗ ﺔﻳﻟوؤﺳﻣ(ISO) سﻳﻳﻘﺗﻠﻟ ﺔﻳﻟودﻟا ﺔﻣظﻧﻣﻟا
ّ
،ISO\IEC JTC1 ةكرت��شملا ة��ينفلا ةط� ة�� �نجللااھداد�ساوب �عام� ٢٧٠٠٣�ت ي� �سيإ يأ/وز� ة��يأ�يلودلا ةف��صاوملا
.تامولعملا ايجولونكت نيمأت تاينقت ،SC27 ةيعرفلا ةنجللا ، تامولعملا ايجولونكت
iv © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 4 ----------------------
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
ةمدقم
نيمأت ةرادا ماظنل ةطخ ذيفنتو ريوطتل يلمع يداشرا ليلد ريفوت وھ ةيلودلا ةفصاوملا هذھ نم ضرغلا
. ٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ةيلودلا ةيسايقلا ةفصاوملا عم قفاوتي امب هأشنملا لخاد (ISMS) تامولعملا
.عورشمك ةماع ذفني (ISMS) نيمأتلا ماظنل يقيقحلا قيبطتلا
ةيلودلا ةيسايقلا ةفصاوملا ةيلودلا ةفصاوملا قيبطتل امعد رفوتل اھميمصت مت ةفصاوملا هذھ لخاد ةفصوملا ةيلمعلا
:دنتسملاو( ٧و٥و٤ دونبلا يف ةروصحم ةقلاعلا تاذ ءازجلأا) ؛٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ
عورشملل يميظنتلا لكيھلا فرعت ،ةأشنملا يف ISMS تامولعملا نيمأت ةرادا ماظن قيبطت ةطخ تايادب دادعا (أ
.ةيرادلاا تاقفاوملا ىلع لوصحلاو
.(ISMS) نيمأتلا ةرادا ماظن عورشمل ةجرحلا ةطشنلأا (ب
.٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ةيلودلا ةيسايقلا ةفصاوملا تابلطتم قيقحتل ةلثمأ (ج
ىطعي امم ، ةيلودلا ةيسايقلا ةفصاوملا هذھ مادختساب تامولعملا نيمأت ةرادلإ ةيلمع ريوطت ةأشنملا عيطتست
نيمأت دودح لخاد ةرمتسم ةروصب اھرصح متي تامولعملا لوصأ رطاخم نأ نانئمطلاا ةلصلا تاذ تاھجلا
.ةأشنملا هفرعت امك لوبقم تامولعم
لب ، ىرخلأا ISMS نيمأتلا ةرادا ماظن ةطشنأو ةيليغشتلا ةطشنلأا ةيلودلا ةيسايقلا ةفصاوملا هذھ ىطغت لا
جتني ثيح .ISMS ماظنلا تايلمع ءدب دعب جتنتس يتلا ةطشنلأا هذھ ميمصت متي اھاسأ ىلع يتلا ميھافملا يطغت
.ISMS ماظن عورشم قيبطتل ةيئاھنلا ةطخلا نم موھفملا
v © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 5 ----------------------
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
نع يداشرا ليلد – نيمأتلا تاينقت – تامولعملا ايجولونكت
تامولعملا ايجولونكت نيمات ماظن قيبطت
لاجملا .١
تامولعملا نمأ ةرادإ ماظن ذيفنتو ميمصت حاجنل ةمزلالا ةيويحلا بناوجلا ىلع ةيلودلا ةفصاوملا هذھ زكرت
نيمأت ةرادإ ماظن فيصوت تايلمع فصت ذإ .٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ ةفصاوملل اقفو (ISMS)
ذيفنتل ةرادلإا دامتعا ىلع لوصحلا ةيلمع فصت امك .ذيفنتلا ططخ جارخإ ىتح ةيادبلا نم هميمصتو تامولعملا
نيمأت ةرادإ ماظن عورشم ةفصاوملا هذھ ىف ىمسي ىذلا) هذيفنت عورشم عضتو .تامولعملا نيمأت ةرادإ ماظن
ذيفنتل ةيئاھن ةطخ ىلع ةياھنلا ىف لصحن ثيحب ،عورشملل طيطختلا ةيفيك نع تاداشرإ مدقتو ،(تامولعملا
.عورشملا
قبطنت .تامولعملا نيمأت ةرادلإ اماظن قبطت يتلا تآشنملا لبق نم مدختست نأ ةيلودلا ةفصاوملا هذھ نم دصقيو
ريغ تامظنملاو ،ةيموكحلا تائيھلا و ةيراجتلا تاسسؤملا لثم) اھعاونأ عيمجب تآشنملا ىلع ةفصاوملا هذھ
ةقيرط اھتابلطتم ةيصوصخ ددحت فوسو اھتاديقعتب ةدرفتم ةمظنم لك .اھماجحأ فلاتخا ىلعو (حبرلل ةفداھلا
هذھ ىف ةروكذملا ةطشنلأا نأ امجح رغصلأا تآشنملا دجتس انھ نمو .تامولعملا نيمأت ةردلإ اھماظن قيبطت
ىلإ ةجاحب اھنأ دجت دقف اديقعت رثكلأا وأ مجحلا ةريبكلا تآشنملا امأ .ةطسبم ةقيرطب ،اھيلع قبطنت ةفصاوملا
اتلك يفو .لاعف وحن ىلع ةيلودلا ةفصاوملا هذھ ةطشنأ ةرادلإ لصفنم ةرادإ ماظن وأ تاقبطلا ددعتميرادإ لكيھ
.ةيلودلا ةفصاوملا هذھ مادختساب ةلصلا تاذ ةطشنلأل طيطختلا نكمي ،نيتلاحلا
ابنج مدختست نأ ةفصاوملا هذھب دصقيو.تابلطتم ةيأ ددحت لاو ، احورشو تايصوت ةيلودلا ةفصاوملا هذھ مدقت
اھنم دوصقملا سيل نكلو ٢٠٠٥ :٢٧٠٠٢ يس يإ يأ/ وزيأ و ٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأعم بنج ىلإ
يإ يأ/ وزيأ ىف ةدراولا تايصوتلا وأ٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ ىف ةدراولا تابلطتملا ضفخ وأ ليدعت
.ةفصاوملا هذھ عم قباطتلاب ءاعدلإا بسانملا ريغ نمو .٢٠٠٥ :٢٧٠٠٢ يس
ةيليمكتلا عجارملا .٢
ةروكذملا خسنلا قيبطت مزلي ةخرؤملا عجارملل ةبسنلاب . ةقيثولا هذھ قيبطتل ةيساسا ةيلاتلا ةيعجرملا قئاثولا ربتعت
:(تلايدعت ىا انمضتم) ةيعجرملا ةقيثولا نم رادصإ رخآ قيبطت مزلي هنإف ةخرؤملا ريغ عجارملل ةبسنلاب امأ
-تامولعملا ايجولونكت نيمات ماظن – نيمأتلا تاينقت – تامولعملا ايجولونكت ٢٠٠٩ :٢٧٠٠٠ يس يإ يأ/ وزيأ
.تادرفمو ةماع ةرظن
-تامولعملا ايجولونكت نيمات ماظن – نيمأتلا تاينقت – تامولعملا ايجولونكت٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ
.تابلطتملا
فيراعتلاو تاحلطصملا .٣
وزيأ و ٢٠٠٩ :٢٧٠٠٠ يس يإ يأ/ وزيأ ىف ةدراولا فيراعتلاو تاحلطصملا قبطت ةفصاوملا هذھ ضارغلأ
:يلاتلل ةفاضلإاب ٢٠٠٥ :٢٧٠٠١يس يإ يأ/
ISMS ماظن عورشم ١/٣
.ISMS تامولعملا نيمأت ةرادإ ماظن ذيفنتل ةأشنملا اھب موقت ةمظنم ةطشنأ
ةيلودلا ةفصاوملا هذھ لكيھ .٤
ةفصاوملا هذھ دونبل ماعلا لكيھلا١/٤
١ © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 6 ----------------------
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
اذھ حرشي .ةأشنملا تاعورشم نم عورشمك امومع ذفنيو ، امھم اطاشن تامولعملا نيمأت ةرادإ ماظن ذيفنت دعي
طيطختلا ةيلمع نمضتت امك .عورشملل فيرعتلاو طيطختلاو ءدبلا ىلع زيكرتلاب (ISMS)ماظن ذيفنت دنتسملا
وھ امك ،لكيھلا سفن دونبلا لكلو .لاصفنم ادنب اھنم ةلحرم لك لثمت ، لحارم ةسمخ ماظنلل ىئاھنلا ذيفنتلل
: ىھ ةسمخلا لحارملاو . ىلي اميف فوصوم
(سماخلا دنبلا) تامولعملا نيمأت ةرادإ ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا (أ
(سداسلا دنبلا) ةسايسلاو ماظنلا لاجم ديدحت (ب
( عباسلا دنبلا) ةأشنملا ليلحتب مايقلا (ت
(نماثلا دنبلا) رطاخملا ةجلاعم ةطخو رطاخملا ريدقتبمايقلا (ث
(عساتلا دنبلا) تامولعملا نيمأت ةرادإ ماظن ميمصت (ج
تافصاوملا ىلإ ةراشلإا عم تامولعملا نيمأت ةرادإ ماظن عورشمل طيطختلل ةسمخلا لحارملا ١ لكشلا نيبي
.ةيسيئرلا تاجرخملا قئاثوو ISO/IEC ةيسايقلا
تابلطتمليلحتب مايقلا دودحو لاجم ديدحت دامتعا ىلع لوصحلا
ISMS ماظن ميمصت و رطاخملا ريدقتب مايقلا
ةسايسلاو ماظنلا عورشم ىف ءدبلل ةرادلإا
ةجلاعمل طيطختلا تامولعملا نيمأت
ISMS ماظن
رطاخملا
٩
٥
٨
٦
٧
نيمأت تابلطتم
دامتعاب يطخ راعشا ماظن دودحو لاجم
ءدبلل ةرادلإا دامتعا
ماظن ذيفنتل ةيئاھن ةطخ
تامولعملا
ماظن ذيفنتل ةرادلاا ISMS
ماظن عورشم ىف
ISMS
ISMS
ISMS
رطاخملا ةجلاعم ةطخ
ISMS ماظن ةسايس
تامولعملا لوصأ
قيبطتلا ةيناكما نايب نيمأت مييقت جئاتن
فادھأ ُانمضتم، تامولعملا
طباوضلاو طباوضلا
.ةراتخملا
ينمزلا طخلا
تامولعملا نيمأت ةرادإ ماظن عورشم لحارم :١ لكش
: يھ قحلاملا هذھو .ةقفرملا قحلاملا ىف ةدراو تامولعملا نم ديزملا
٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأةيسايقلا ةفصاوملا يف هتيعجرم ىلإ ةراشلإا عم ةطشنلأل صخلم : أ قحلم
تامولعملا نيمأت تايلوئسمو راودأ : ب قحلم
ةيلخادلا تاعجارملل طيطختلا لوح تامولعم : ج قحلم
تاسايسلا لكيھ : د قحلم
© ISO 2010 ةظوفحم قوقحلا عيمج ٢
---------------------- Page: 7 ----------------------
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
سايقلاو ةبقارملل طيطختلا لوح تامولعم : ـھ قحلم
ةفصاوملا دونب نم دنبل ماعلا لكيھلا ٢/٤
: ىلي ام ىلع دنب لك ىوتحي
صن عبرم ىف دنب لك نم ةيادبلا ىف اھنم ققحتي ام ركذ عم فادھلأا نم رثكأ وأ دحاو (أ
ةلحرملا فادھأ وأ فدھ قيقحتل ةيرورضلا ةطشنلأا نم رثكأ وأ دحاو (ب
ىعرف دنب ىف ةدح ىلع طاشن لك فصوي
: ىلاتلا وحنلا ىلع مسقم ىعرف دنب لك ىف طاشنلا فصو
:طاشنلا
.اھنم ءزج وأةلحرملا فادھأ لك قيقحت لفكي امب طاشنلا اذھ بناوج ءافيتسلا ىرورض وھ ام طاشنلا فرعي
:لخدملا
هذھ ىف ةفوصوم ىرخأ ةطشنأ نم تاجرخم وأ ةقثوم تارارق دوجو لثم ، ةيادبلا طاقن تلاخدملا فصت
ةلصلا ىذ دنبلل ركذ درجمب طاشن نم ةلماك تاجرخمك امإ تلاخدملا ىلإ راشي نأ اضيأ نكمي .ةيلودلا ةفصاوملا
.دنبلل ةيعجرملا ةراشلإا دعب ام طاشن نم اھنيعب تامولعم فاضت دق وأ
تاداشرلإا
عيمج ىف ةبسانم نوكت لا دق تاداشرلإا ضعب . طاشنلا ءادأ نم نكمت ةيليصفت تامولعم تاداشرلإا رفوت
.جئاتنلا قيقحتل ةمئلام رثكأ بيلاسأ كانھ نوكت دقف ،تلااحلا
تاجرخملا
مجح ناك ام ايا ، تاجرخملا لثامتت .قئاثولا :لثم، طاشنلا لامكتسا دنع تاملتسملا وأ جئاتنلا تاجرخملا فصت
.تامولعملا نيمأت ةرادإ ماظن قاطن وأ ةأـشنملا
ىرخأ تامولعم
تاراشلإا لثم ،طاشنلا ءادأ ىف ةدعاسملا اھنأش نم نوكي ةيفاضإ تامولعم ىأ ىرخلأا تامولعملا رفوت
.ىرخأ تافصاومل ةيعجرملل
ىلع ىنبم ةطشنلأا ءادلأ حرتقم لسلست دنتسملا اذھ ىف ةفوصوملا ةطشنلأاو لحارملا نمضتت :ةظوحلم
ىأب اھتاطاشن ةأشتملا راتخت دقف كلذ عمو . ةطشنلأا هذھ نمً لاك تاجرخمو تلاخدم ربع ةددحملا تادامتعلاا
لماوعلا نم ديدعلا ىلع ادامتعا كلذو تامولعملا نيمأت ةرادإ ماظنل ذيفنتلاو دادعلإل ةرورضلا هيضتقت بيترت
ماظن قيبطت بابسأ و تامولعملا نيمأت ةيمھأب قلعتي ام مھف و ايلاح قبطملا ةرادلإا ماظن ةيلاعف :لثم) ةفلتخملا
. تامولعملا نيمأت ةرادإ
(ةيطيطختلا) ةينايبلا تاموسرلا ٣/٤
.تاجرخملاو ةطشنلأل ةماع ةرظن رھظت ةينايب موسر وأ ةيطيطخت موسر لكش ىف ابلاغ عورشملا حضوي
اروظنم تاموسرلا عضت . ةلحرم لك يف ةماع ةرظن ىعرفلا دنبلا ىف ةحضوملا تاموسرلل ريسفت ٢ لكشلا نيبي
.ةلحرم لك ىف ةدراولا ةطشنلأل ايلك اماع
٣ © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 8 ----------------------
. . .
. . .
. . .
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
ISMS ماظن عورشم طيطخت لحارم
ةلحرم
ةلحرم ةلحرم
س
ع
ص
ةقيثو
ةقيثو
ينمزلا طخلا
ةلحرملا ةطشنأ
طاشن
. . . .
أ
ةقيثو
ةقيثو
طاشن
طاشن
ج ب
. . . . . . . .
ةقيثو
ةقيثو
ةقيثو
ةقيثو
ينمزلا طخلا
ةينايبلا تاموسرلا قفدتل ريسفت :٢ لكش
حرشلا ةلحرم لك نم ةيسيئرلا تاجرخملا قئاثو دكؤت مث ،.عورشملل طيطختلا لحارم يولعلا عبرملا حضوي
. اھب صاخلا دنبلا يف دراولا
عبرملا ىف حرشلا عضوم ةلحرملا ىف ةنمضتملا ةيساسلأا ةطشنلأا (ةلحرم لك ةطشنأ) يلفسلا مسرلا نمضتي
.طاشن لكل ةيسيئرلا تاجرخملا قئاثوو يولعلا
.يولعلا عبرملا ىف ىنمزلا طخلا ىلع سسؤم يلفسلا عبرملا ىف ىنمزلا طخلا
.ب و أ نيطاشنلا نم ءاھتنلاا دعب أدبي نأ يغبني ج طاشنلا امنيب .تقولا سفن ىف ب و أ ني طاشنلا ذيفنت نكمي
© ISO 2010 ةظوفحم قوقحلا عيمج ٤
---------------------- Page: 9 ----------------------
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
. تامولعملا نيمأت ةرادإ ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا .٥
ISMS ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا نع ةماع ةرظن١/٥
نيمأت ةرادإ ماظن ذيفنتب رارقلا ذاختا دنع رابتعلاا ىف اھذخأ بجي ىتلا تارثؤملا وأ لماوعلا نم ديدعلا كانھ
ماظن ذيفنت عورشمل لامعلأا ةلاح ةسارد ةرادلإا مھفتن نأ بجي ، لماوعلا هذھفادھتسلايبس ىفو ، تامولعملا
: وھ ةلحرملا هذھ نم فدھلاف كلذل ، هيلع قفاوتو تامولعملا نيمأت ةرادإ
:فدھلا
ة��طخو لا��معلأا ة��لاح ة�فيرعت�ساردب تا��مولعملا نيمأ� ةرادإ�ت ما��ظن عور��شم ى� ءد��ف �بللةرادلإا ة��قفاوم ى� �لعلو��صحلا
. عورشملا
ذ�يفنتل فاد�ھلأاو تا�يولولأا نم�ضتت لامعلأ ىتلا ا ةلاح ةسارد ءىشنت نأ ةأشنملل يغبني ، ةرادلإا دامتعا بلط لجأ نمو
ءا�� ا�شنا�ضيأ ي��غبني . ISMSا��مك ما��ظن ل� �جأن� هأ��م�شنملل ي��ميظنتل ل��كيھلا ى� ةفا��لا�ضلإاب ، تا��مولعملا نيمأ� ةرادإ�ت ما��ظن
. تامولعملا نيمأت ةرادإ ماظنل ةيئدبملا ةطخلا
راودلأا حيضوت و ، تامولعملا نيمأت ةرادا ماظن ةيمھأ ىدم مھف نم ةمظنملا نﱢكمُي فوس ةلحرملا هذھ ىف ىﱠدؤ ُملا لمعلا
َ
. تامولعملا نيمأت ماظن ةرادا عورشمل ةمظنملا لخاد تامولعملا نيمأتلةبولطملا تايلوئسملاو
تا�مولعملا نيمأ�ت ةرادلإ ما�ظن ذ�يفنتب ا�ھمازتلاو يئد�بملاةرادلإ�ل دا�متعلاا نوكت�س ةلحرملا هذھ نم ةعقوتملا تاجرخملاو
لا�معلأا ة�لاحة�سارد دنت�سم نم�ضتتد�نبلا اذ�ھن�م تاملت�سملاو ، ة�يلودلاةف�صاوملا هذھ ىف ةفوصوملا ةطشنلأل اھئادأو
.هزيمملا ملاعملا عم تامولعملا نيمأت ةرادإ ماظن عورشم ةطخ ةدوسمو
. تامولعملا نيمات ماظن ةرادإ عورشم ىف ءدبلل ةرادلإا ةقفاوم ىلع لوصحلا ةيلمع ٣ لكشلا نيبي
: ةظوحلم
) عبا�سلا دنبلا تاجرخ ُم ىدحإو ( تامولعملا نيمأت ةرادإ ماظنل ذيفنتلاو طيطختلاب قثوم ةرادلإا نم مازتلا ) سماخلا دنبلاجرخ ُم
ن�ممغر�لا ى�لعو ، ٢٧٠٠٠:٢٠٠٥ ي�س يإ يأ/وز�يأ ةف�صاوملاتا�بلطتم ن�م اد�عُي لا ( تامولعملا نيمأت ةلاحل ةرصتخمةقيثو
. دنتسملا اذھ ىف ةفصوملا ىرخلأا ةطشنلأل اھب ىصوي تلاخدم ىھ ةطشنلأا هذھ تاجرخمف ، كلذ
٥ © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 10 ----------------------
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
دودحو لاجم ديدحت دامتعا ىلع لوصحلا
تابلطتم ليلحتب مايقلا
و رطاخملا ريدقتب مايقلا
ISMS ماظن ميمصت
تامولعملا نيمأت ةسايسلاو ماظنلا عورشم ىف ءدبلل ةرادلإا
ةجلاعمل طيطختلا
ISMS ماظن
رطاخملا
٥
٩ ٨
٧ ٦
ءدبلل ةرادلإا دامتعا
ماظن عورشم ىف
ISMS
ينمزلا طخلا
ةأشنملا تايولوأ حاضيإ
ISMS ماظن ءاشنلا
٢/٥
فادھلأا صيخلت
ISMS ماظنل
ةيعيرشتلادويقلاب ةمئاق
ةيعانصلاو ةيدقاعتلاو
نيمأتب ةقلعتملا
ةأشنملا تامولعم
رصتخم ضرع
لامعلأا صئاصخل
يئدبملا لاجملاعضو
راودلأا فيرعت
يئدبملا لاجملا ديدحت
ISMS ماظنل
لاجملل تايلوئسملاو
ISMS ماظنل
ماظنل يئدبملا
١/٣/٥
٣/٥
ةلاح ةسارد ءاشنإ
ةطخو لامعلأا
ىلع لوصحلل عورشملا
ةرادلإا ةقفاوم
راودلأل فصو رصتخم ضرع
٤/٥
ذيفنتل تايلوؤسملاو
لامعلأا صئاصخل
ISMS ماظن
ةلاح ةسارد
لامعلأا
ماظن عورشم حرتقم
ISMS
عورشم دامتعا
ISMS ماظن
ينمزلا طخلا
ISMS ماظنل طيطختلا أدبل ةرادلاا دامتعا ىلع لوصحلا نع ةماع ةرظن :٣ لكش
© ISO 2010 ةظوفحم قوقحلا عيمج ٦
---------------------- Page: 11 ----------------------
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
تامولعملا نيمأت ةرادإ ماظن ءاشنلاةأشنملا تايولوأ حاضيإ ٢/٥
: طاشنلا
ي� ةأ��ف�شنملل تا��مولعملا نيمأ� تا��ت�بلطتمو تا��يولوأ ذ� �خأع� تا��م�مولعملا نيمأ� ةرادا�ت ما��ظن ق��يبطتل فاد��ھلأا جاردا�� يغبني
. رابتعلاا
: تلاخدملا
.ةيجيتارتسلاا هأشنملا فادھأ ( ا
ةيلاحلا ةرادلإا ةمظنأ ىلع ةماع ةرظن (ب
.ةأشنملا ىلع ةقبطنملا ةيدقاعتلاو ةيعيرشتلاو ةينوناقلا تامولعملا نيمأت تابلطتمب ةمئاق ( ـج
: تاداشرلإا
ه�ب ءد�بلا ي�غبني طا�شن لوأ نإ�ف كلذ�ل، تا�مولعملا نيمأت ةرادإ ماظنل عورشم يأ ىف عورشللةداع بولطم ةرادلإا دامتعا
ىد�م حا�ضيإ ةأ�شنملا ى�لع ى�غبنيو. ةأ�شنملل تا�مولعملا نيما�ت ةرادإ ما�ظنل ة�ميق ل�ثمت ى�تلاو ة�ماھلاتا�مولعملا عمج وھ
. ماظنلا عورشم ىف ءدبلاو ماظنلا اذھ قيبطت فادھأ ريرقتو تامولعملا نيمات ةرادإ ماظن ىلا ةجاحلا ساسم
-: ةيلاتلا ةلئسلاا ىلع ةباجلإا للاخ نم تامولعملا نيمات ةرادإ ماظن قيبطت فادھأ ددحتت نأ نكمي
؟ تامولعملا نيمأت رطاخمل لضفأ ةرادإ تامولعملا نيمأت ةرادإ ماظن نع أشني فيك – رطاخملا ةرادا (أ
؟ تامولعملا نيمأت ةرادا نيسحت تامولعملا نيمأت ةرادإماظنل نكمي فيك - ةءافكلا (ب
؟ةأشنملل ةيسفانت ةزيم قلخ ماظنلل ىنستي فيك : ةيقوسلا ةزيملا (ـح
-: ةيلاتلا ةفلتخملا لماوعلاب ةأشنملا تابلطتمو تايولوأ فادھتسا بجي ، ةقباسلا ةلئسلأا ىلع ةباجلإا لجأ نمو
.ةيويحلا ةيميظنتلا تلااجملاو لامعلأا (أ
.ةيويحلا ةيميظنتلا تلااجملاو لامعلأا ىھ ام -١
؟ ةجرد يلأو لامعلأاب ادادمأ ةيميظنتلاتلااجملا ىأ -٢
؟ثلاثلا فرطلا عم ةمئاقلا تايقافتلااو تاقلاعلا ىھ ام -٣
؟اھب مايقلل ةيجراخ ةھجب ناعتسي تامدخ ةيأ كانھ لھ -٤
: ةنيمثلا وأ ةيويحلا تامولعملا ( ب
؟ ةأشنملل ةيويحلا تامولعملا يھ ام -١
حر�صملا ر�يغ فار�طلأا ضعب�ل ا�ھنيعب تا�مولعم ن�ع فشكلا مت ام اذإ اھثودح لمتحملا تاعبتلا ىھ ام -٢
. ةينوناق تاءارجا ، ةعمسلا وأ ىراجتلا مسلاا رايھنا ، ةيسفانتلا ةزيملا نادقف : كلذ لاثم ) كلذب مھل
( خلإ
تامولعملا نيمأتلريبادت متحت ىتلا نيناوقلا ( ـح
٧ © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 12 ----------------------
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
؟ ةأشنملا ىلع قبطنتو تامولعملا نيمأت وأ رطاخملا ةجلاعمب ةقلاعلا تاذ نيناوقلا ىھ ام -١
؟ ةيجراخ تاھجل ةيلام ريراقت اھل نوكي نأ بلطتت ىربك ةيمومع ةمظنم نم ءزج ةأشنملا لھ -٢
تامولعملا نيماتب ةقلاعلا تاذ ةيميظنتلا وأ ةيدقاعتلا تايقافتلاا ( د
؟ ةنوزخملا تانايبلل ( ظافتحلاا تارتف ةلماش ) نيزختلا تابلطتم ىھ ام -١
؟((SLA) ةمدخلا ىوتسم تايقافتا : كلذ لاثم ) ةدوجلا وأ ةيرسلاب طبترت ةيدقاعت تابلطتم ىأ كانھ لھ -٢
: تامولعملا نيمأتل اھنيعب ريبادت طباوض فصوت ىتلا ةعانصلا تابلطتم (ـھ
؟ ةأشنملا ةلاح ىلع ةقبطنملاو عاطقلا تايصوصخب ةقلعتملا تابلطتملا ىھام -١
:ديدھتلا ةئيب ( و
؟ تاديدھت ةيأ دضو بولطم ةيامحلا عاونأ ىأ -١
؟ ةيامح بلطتت ىتلاو تامولعملل ةزيمملا تافينصتلا ىھ ام -٢
؟ ةيامحلا ىلا جاتحت ىتلا تامولعملا ةطشنلأ ةزيمملا عاونلأا ىھ ام -٣
:سفانتلا تازفحم ( ز
؟ تامولعملا نيمأتل قوسلا تابلطتم نم ىندلأا دحلا وھ ام -١
؟ةأشنملل ةيسفانت ةزيم مدقت ىتلاو تامولعملا نيمأتل ةيفاضلإا طباوضلا ىھ ام -٢
: لامعلأا ةيرارمتسا تابلطتم (ح
؟ ةيويحلا ةطشنلأا تايلمع ىھ ام-١
؟ اھتطشنأ تايلمع تاعاطقنا لامتحا اھللاخ نم ةمظنملل نكمي ىتلا ةدملا ام -٢
ة�لاح ءا�شنلإ ا�ضيأبو�لطم اذ�ھو ةقبا�سلا ، ةلئسلأا ىلع ةباجلإاب تامولعملا نيمات ةرادإ ماظنليئدبملا لاجملا ددحي
ف��يرعت مت� ا���منيبي . ةرادلإا دا��متعا لو�ى��لع�صحلل تا�لعملا نيمأ��مو ةرادإ�ت ما��ظن عور��شملةيلكلا ة��طخلاو لا��معلأا
. عورشملا ءانثأISMS ماظنل يليصفتلا لاجملا
صئا�صخ ة�للادب لا�جملا (أ ١/٢/٤ةر�قفلا ىف ٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ىف ةروكذملا تابلطتملا صخلتو
. ديدحتلا اذھ قبس امم ةجتانلا تامولعملا ديؤتو ، تاينقتلاو لوصلأاو عقوملاو ىميظنتلا لكيھلاو لامعلأا
: ىلي ام نمضتت لاجملاب صتخي اميف ةيئدبملا تارارقلا عنص دنع رابتعلاا ىف اھذخأ يغبني ىتلا تاعوضوملا
ة�ضورفملاةيجراخلا تامازتللااو ةأشنملا ةرادا لبق نم سسؤملا تامولعملا نيمأت ةرادا تايمتح ىھ ام (أ
؟ ةأشنملا ىلع
ى�ف دار�فلأا ً: لاثم ) ةرادلإا قرف نم قيرف نم رثكأ ماظنلل حرتقملا لاجملا ىوتحم تايلوئسم لمحتي لھ (ب
؟ ( ةفلتخم تارادإ وأ ىندأ تارادإ
وأ قرو�لا ى�لعً: لاث�م ) ةأ�شنملا ر�بع تامولعملا نيمأت ةرادإ ماظنب ةقلاعلا تاذ تادنتسملا لصوتس فيك ( ـح
؟ (ةيلخادلا ةكبشلا للاخ نم
نا�صت ل�ھو ا�ھتاقاط ل�ماكب ةأ�شنملا هذ�ھ لمعت لھ ؟ ةأشنملا تاجايتحا معد ةيلاحلا ةرادلإا مظنل نكمي لھ (د
؟ اھل ططخم وھ امك لمعت لھو ةيانعب
© ISO 2010 ةظوفحم قوقحلا عيمج ٨
---------------------- Page: 13 ----------------------
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
نم�ضتت تا�مولعملا نيمأ�ت ةرادإ ماظنليئد�بملا لاجملا فيرعتل تلاخدمك مدختست دق ىتلا ةرادلإا فادھلا ةلثمأ
:
.ثراوكلا دعب حلاصلإاو لامعلا ةيرارمتسا ليھست (أ
.عئاقولا عم ةنورمب لماعتلا ىلع ةردقلا نيسحت (ب
. ةيدقاعتلاو ةينوناقلا تامازتللاا فادھتسا (ـح
. ىرخأ يس يإ يأ/ وزيأ ةيلود تافصاومل اقبط تاداھش ىلع لوصحلا نم نيكمتلا (د
.اھتناكمو هأشنملل يميظنتلا روطتلا نم نيكمتلا (ـھ
نيمأتلا طباوض ةفلكت ضفخ ( و
ةيجيتارتسلاا ةميقلا تاذ لوصلأا ةيامح (ز
. ةلاعفو ةحيحص ىلخاد طبض ةئيب ءانب ( ح
. ةبسانملا ةيامحلاب عتمتت ةيتامولعملا لوصلأا نأ ةينعملا فارطلأل دكؤي ام ميدقت ( ط
: تاجرخملا
: ىھ طاشنلا اذھ تاملتسم
. تامولعملا نيمأت ةرادا ماظنل ةيميظنتلا تابلطتملاو تامولعملا نيمأت تايولوأو فادھلأا صخلت ةقيثو (أ
. ةأشنملا ىف تامولعملا نيمأتب ةقلاعلا تاذ ةعانصلا تابلطتمو ةيدقاعتلاو ةيعيرشتلا تابلطتملاب ةمئاق (ب
. اھتاينقتو اھلوصأو اھعقومو ةأشنملاو لامعلأا صئاصخل رصتخم ضرع (ـج
ىرخأ تامولعم
. ٢٠٠٥: ١-٢٠٠٠٠ يس يإ يأ /وزيأ ،٢٠٠٤: ١٤٠٠١ يس يإ يأ /وزيأ ، ٢٠٠٨: ٩٠٠١ يس يإ يأ /وزيأ
تامولعملا نيمأت ةرادإ ماظنل ىئدبملا لاجملا ديدحت ٣/٥
ماظنلل ىئدبملا لاجملا عضو ١/٣/٥
: طاشنلا
. تامولعملا نيمأت ةرادا عورشمل ىرورض وھ ىذلا ، لاجملا فيرعت تامولعملا نيمأت ةرادإ ماظن ذيفنت فادھأ نمضتت نأ بجي
: تلاخدملا
. تامولعملا نيمأت ةرادإ ماظنل اھعضو ىف ةأشنملا تايولوأ ٢/٥ طاشنلا تاجرخم حضوت
: تاداشرلإا
ف�يرعت ي�غبني نلآاو . تا�مولعملا نيمأ�ت ةرادإ ما�ظن ل�كيھ ف�يرعت ب�جي ، تا�مولعملا نيمأ�ت ةرادا ما�ظنعور�شم ذ�يفنت ليب�س ىف
. ةطشنلأا نم ديزملا معدلو ذيفنتلا تارارقل تاداشرإ ةرادلإل مدقيل ،ماظنلل يئدبملا لاجملا
. ةرادلإا لبق نم دامتعلال ةحرتقملا عورشملا ةطخو لامعلأا ةلاح ةسارد ءاشنلإ يرورض ىئدبملا لاجملا اذھ
٩ © ISO 2010 ةظوفحم قوقحلا عيمج
---------------------- Page: 14 ----------------------
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
: نمضتت ىتلا ، تامولعملا نيمأت ماظن ةرادلإ ىئدبملا لاجملافرعت ةقيثو نوكتس ةلحرملا هذھ تاجرخمو
. ةيجراخ تاھج نم ةضورفملا تامازتللااو ةرادلإا اھتعضو ىتلا تامولعملا نيمأت ةرادإ تايمتحل صخلم (أ
. ىرخلأا ةرادلإا مظن عم لاجملا يف ةروكذملا ةفلتخملا ةيميظنتلا تلااجملا لعافت ةيفيكل فصو (ب
.(٢/٥ دنب نم ةدمتسم) تامولعملا نيمأت ةراداروظنم نم لامعلأا فادھأب ةمئاق (ـج
قبطي� �سى� �تلاة��يفارغجلا ع�قاوملاو ة��يميظنتلا ل��كايھلاو ة�يتامولعملا لو��صلأاو مظن��لاو ة�يويحلا لا��معلأا تا�� ة�مئاقيلمعب (د
. تامولعملا نيمأت ةرادإ ماظن اھيلع
.ةأشنملا فادھأو ةيمازللإاو ةيعيرشتلا فادھلأاو ةمئاقلا ةرادلإا مظن عم ةقلاعلا ( ـھ
. تاينقتلاو لوصلأاو عقوملاو ةأشنملاو لامعلأا صئاصخ (و
تا�مولعملا نيمأ�ت ةرادإ م�ظنو ةرادلإ�ل ة�يلاح م�ظن ىأ ى�ف تا�يلمعلا ني�ب ةيليغ�شتلا تافلاتخلااو ةماعلا رصانعلا هذھ ددحت نأ بجي
. ةحرتقملا
:تاجرخملا
. تامولعملا نيمأت ةرادإ ماظنل يئدبملا لاجملا فصت ةقيثو ملتسملا
ىرخأ تامولعم
.ةددحم تامولعم كانھ تسيل
نإ� ٢٧٠٠١�ف :٢٠٠٥ ي� �سيإ يأ /وز� ةف��يأ�صاوملل ا��قبط ةداھ��شلا لو�ى��لع�صحلا ة��لاح ه� ى� ى��نأ�ف ها��لا�بتنلاا ت� ب��فل�جي -: ة��ظوحلم
ى�ف ة�مئاق ىر�خأ م�ظن ة�يأ ن�ع ر�ظنلا فر�صب ،ISMSما�ظن لا�جم تابلطتم يف امك ،اھب ءافولا بجيتابلطتملاب ةددحملا تادنتسملا
. ةأشنملا
تامولعملا نيمأت ةرادإ ماظنل يئدبملا لاجملل تايلوئسملاو راودلأا فيرعت ٢/٣/٥
: طاشنلا
. تامولعملا نيمأت ةرادأ ماظنليئدبمللااجملاب صتخي اميف ةيلكلا تايلوئسملاو راودلأا فيرعت بجي
: تلاخدملا
. ماظنلل يئدبملا لاجملا عضو ١/٣/٥ طاشنلا تاجرخم (أ
. تامولعملا نيمات ةرادإ ماظن عورشم جئاتن نمنوديفتسيس نيذلا ةينعملا فارطلأاب ةمئاق (ب
: تاداشرلإا
ة�مظنمني�ب ف�لتخيرود و�ھو ، ةأ�شنملا رود د�يدحت ب�جي ، تامولعملا نيمأت ةرادإ ماظن عورشم ذيفنت لجأ نم
دراو��ملاو ة� �يميظنتلال��كايھلا نيا��بتت ث� تا��يحو�مولعملا نيمأ� ع��ت نيلما��م �عتملا دار� داد��فلأا �عأفلات��خلا ىر��خأو
ةريغ�صلاتا�مظنملا ى�ف ثد�حي ا�م ، كلذ لاثم . ةأشنملا لكيھو مجحو عونل اقبط تامولعملا نيمأتل ةصصخملا
دد��حت نأ ةرادلإا ى� �لعب��جيف ك� �لذن� مغرلا��م �بو، صخ��شلا س� �فنةط�وب� ةدد�سا�عتملا راودلأا ا��ھيف ىدؤ� د��ت ى��ق�تلا
ع�م ( هبا�ش ا�م وأ تا�مولعملا ن�مأ ريد�م وأ تا�مولعملا ن�مأ ىفظو�مر�يبك ةدا�ع ) رودلا اذھ حوضوو ةحارصب
ى��لع ءا� تايلوؤ��نب �سمو ��راودألماعلاني دار��فلأل دن�� نأست ب��جي ا��مك ، تا��مولعملا نيمأ� ةراد�تلإ ة��يلامجإ تايلوئ��سم
. رادتقاو ةءافكب ماھملا ذيفنت نم ققحتلل يرورض رمأ وھو مھتفيظوب مايقلل ةبلطتملا ةراھملا
© ISO 2010 ةظوفحم قوقحلا عيمج ١٠
---------------------- Page: 15 ----------------------
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ
...
SLOVENSKI STANDARD
SIST ISO/IEC 27003:2011
01-marec-2011
Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema
upravljanja informacijske varnosti
Information technology - Security techniques - Information security management system
implementation guidance
Technologies de l'information - Techniques de sécurité - Lignes directrices pour la mise
en oeuvre du système de management de la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27003:2010
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27003:2011 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27003:2011
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27003:2011
INTERNATIONAL ISO/IEC
STANDARD 27003
First edition
2010-02-01
Information technology — Security
techniques — Information security
management system implementation
guidance
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information
Reference number
ISO/IEC 27003:2010(E)
©
ISO/IEC 2010
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .2
4.1 General structure of clauses.2
4.2 General structure of a clause.3
4.3 Diagrams .3
5 Obtaining management approval for initiating an ISMS project .5
5.1 Overview of obtaining management approval for initiating an ISMS project .5
5.2 Clarify the organization’s priorities to develop an ISMS.7
5.3 Define the preliminary ISMS scope .9
5.4 Create the business case and the project plan for management approval.11
6 Defining ISMS scope, boundaries and ISMS policy.12
6.1 Overview of defining ISMS scope, boundaries and ISMS policy .12
6.2 Define organizational scope and boundaries.15
6.3 Define information communication technology (ICT) scope and boundaries .16
6.4 Define physical scope and boundaries.17
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18
6.6 Develop the ISMS policy and obtain approval from management .19
7 Conducting information security requirements analysis.20
7.1 Overview of conducting information security requirements analysis.20
7.2 Define information security requirements for the ISMS process.22
7.3 Identify assets within the ISMS scope .23
7.4 Conduct an information security assessment .24
8 Conducting risk assessment and planning risk treatment.25
8.1 Overview of conducting risk assessment and planning risk treatment .25
8.2 Conduct risk assessment.27
8.3 Select the control objectives and controls.28
8.4 Obtain management authorization for implementing and operating an ISMS.29
9 Designing the ISMS.30
9.1 Overview of designing the ISMS.30
9.2 Design organizational information security .33
9.3 Design ICT and physical information security .38
9.4 Design ISMS specific information security.40
9.5 Produce the final ISMS project plan .44
Annex A (informative) Checklist description .45
Annex B (informative) Roles and responsibilities for Information Security .51
Annex C (informative) Information about Internal Auditing .55
Annex D (informative) Structure of policies .57
Annex E (informative) Monitoring and measuring.62
Bibliography.68
© ISO/IEC 2010 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2010 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Introduction
The purpose of this International Standard is to provide practical guidance in developing the implementation
plan for an Information Security Management System (ISMS) within an organization in accordance with
ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project.
The process described within this International Standard has been designed to provide support of the
implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document:
a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational
structure for the project, and gaining management approval,
b) the critical activities for the ISMS project and,
c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security
management, giving stakeholders the assurance that risks to information assets are continuously maintained
within acceptable information security bounds as defined by the organization.
This International Standard does not cover the operational activities and other ISMS activities, but covers the
concepts on how to design the activities which will result after the ISMS operations begin. The concept results
in the final ISMS project implementation plan. The actual execution of the organizational specific part of an
ISMS project is outside the scope of this International Standard.
The implementation of the ISMS project should be carried out using standard project management
methodologies (for more information please see ISO and ISO/IEC Standards addressing project
management).
© ISO/IEC 2010 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27003:2011
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27003:2011
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E)
Information technology — Security techniques — Information
security management system implementation guidance
1 Scope
This International Standard focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes
the process of ISMS specification and design from inception to the production of implementation plans. It
describes the process of obtaining management approval to implement an ISMS, defines a project to
implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on
how to plan the ISMS project, resulting in a final ISMS project implementation plan.
This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to
all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all
sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS
implementation. Smaller organizations will find that the activities noted in this International Standard are
applicable to them and can be simplified. Large-scale or complex organizations might find that a layered
organization or management system is needed to manage the activities in this International Standard
effectively. However, in both cases, the relevant activities can be planned by applying this International
Standard.
This International Standard gives recommendations and explanations; it does not specify any requirements.
This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and
ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in
ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this
International Standard is not appropriate.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009,
ISO/IEC 27001:2005 and the following apply.
3.1
ISMS project
structured activities undertaken by an organization to implement an ISMS
© ISO/IEC 2010 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
4 Structure of this International Standard
4.1 General structure of clauses
The implementation of an ISMS is an important activity and is generally executed as a project in an
organization. This document explains the ISMS implementation by focusing on the initiation, planning, and
definition of the project. The process of planning the ISMS final implementation contains five phases and each
phase is represented by a separate clause. All clauses have a similar structure, as described below. The five
phases are:
a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS Scope and ISMS Policy (Clause 6)
c) Conducting Organization Analysis (Clause 7)
d) Conducting Risk Assessment and Risk Treatment planning (Clause 8)
e) Designing the ISMS (Clause 9)
Figure 1 illustrates the five phases of the planning of the ISMS project referring to ISO/IEC standards and
main output documents.
Figure 1 — ISMS project phases
Further information is noted in the annexes. These annexes are:
Annex A. Summary of activities with references according to ISO/IEC 27001:2005
Annex B. Information security roles and responsibilities
Annex C. Information on planning of internal audits
Annex D. Structure of policies
Annex E. Information on planning of monitoring and measuring
2 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
4.2 General structure of a clause
Each clause contains:
a) one or more objectives stating what is to be achieved noted in the beginning of each clause in a text box;
and
b) one or more activities necessary to achieve the phase objective or objectives.
Each activity is described in a subclause.
Activity descriptions in each subclause are structured as follows:
Activity
The activity defines what is necessary to satisfy this activity which achieves all or part of the phase objectives.
Input
The input describes the starting point, such as the existence of documented decisions or outputs from other
activities described in this International Standard. Inputs could either be referred to as the complete output
from an activity just stating the relevant clause or specific information from an activity may be added after the
clause reference.
Guidance
The guidance provides detailed information to enable performing this activity. Some of the guidance may not
be suitable in all cases and other ways of achieving the results may be more appropriate.
Output
The output describes the result(s) or deliverable(s), upon completion of the activity; e.g. a document. The
outputs are the same, independent of the size of the organization or the ISMS scope.
Other information
The other information provides any additional information that may assist in performing the activity, for
example references to other standards.
NOTE The phases and activities described in this document include a suggested sequence of performing activities
based on the dependencies identified through each of the activities’ “Input” and “Output” descriptions. However,
depending on many different factors (e.g., effectiveness of management system currently in place, understanding with
regard to the importance of information security, reasons for implementing an ISMS), an organization may select any
activity in any order as necessary to prepare for the establishment and implementation of the ISMS.
4.3 Diagrams
A project is often illustrated in graphical or diagram form showing an overview of activities and outputs.
Figure 2 illustrates the legend of diagrams which are illustrated in an overview subclause of each phase. The
diagrams provide a high level overview of the activities included in each phase.
© ISO/IEC 2010 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Figure 2 — Flow diagram legend
4 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
The upper square illustrates the planning phases of an ISMS project. The phase explained in the specific
clause is then emphasized with its key output documents.
The lower diagram (activities of the phase) includes the key activities which are included in the emphasized
phase of the upper square, and main output documents of each activity.
The timeline in the lower square is based on the timeline in the upper square.
Activity A and Activity B can be executed at the same time. Activity C should be started after Activity A and B
is finished.
5 Obtaining management approval for initiating an ISMS project
5.1 Overview of obtaining management approval for initiating an ISMS project
There are several factors that should be taken into consideration when deciding to implement an ISMS. In
order to address these factors, management should understand the business case of an ISMS implementation
project and approve it. Therefore the objective of this phase is:
Objective:
To obtain management approval to start the ISMS project by defining a business case and the project plan.
In order to acquire management approval, an organization should create a business case which includes the
priorities and objectives to implement an ISMS in addition to the structure of the organization for the ISMS.
The initial ISMS project plan should also be created.
The work performed in this phase will enable the organization to understand the relevance of an ISMS, and
clarify the information security roles and responsibilities within the organization needed for an ISMS project.
The expected output of this phase will be the preliminary management approval of, and commitment to
implement, an ISMS and performing the activities described in this International Standard. The deliverables
from this clause include a business case and a draft ISMS project plan with key milestones.
Figure 3 illustrates the process to obtain management approval to initiate the ISMS project.
NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one
of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of
ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in
this document.
© ISO/IEC 2010 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Figure 3 — Overview of obtaining management approval for initiating an ISMS project
6 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 14 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
5.2 Clarify the organization’s priorities to develop an ISMS
Activity
The objectives to implement an ISMS should be included by considering the organization’s information
security priorities and requirements.
Input
a) the organization’s strategic objectives
b) overview of the existing management systems
c) a list of legal, regulatory, and contractual information security requirements applicable to the organization
Guidance
In order to start the ISMS project, management approval is generally needed. Therefore, the first activity that
should be performed is to collect the relevant information illustrating the value of an ISMS to the organization.
The organization should clarify why an ISMS is needed and decide the objectives of the ISMS implementation
and initiate the ISMS Project.
The objectives for implementing an ISMS can be determined by answering the following questions:
a) risk management – How will an ISMS generate better management of information security risks?
b) efficiency – How can an ISMS improve the management of information security?
c) business advantage – How can an ISMS create competitive advantage for the organization?
In order to answer the questions above, the organization’s security priorities and requirements are addressed
by the following possible factors:
a) critical businesses and organization areas:
1. What are the critical businesses and organizational areas?
2. Which organizational areas provide the business and with what focus?
3. What third party relationships and agreements exist?
4. Are there any services that have been outsourced?
b) sensitive or valuable information:
1. What information is critical to the organization?
2. What would be the likely consequences if certain information were to be disclosed to unauthorized
parties (e.g., loss of competitive advantage, damage to brand or reputation, legal action, etc.)?
c) laws which mandate information security measures:
1. What laws relating to risk treatment or information security apply to the organization?
2. Is the organization part of a public global organization that is required to have external financial
reporting?
d) contractual or organizational agreements relating to information security:
1. What are the storage requirements (including the retention periods) for data storage?
2. Are there any contractual requirements relating to privacy or quality (e.g. service level agreement-
SLA)?
© ISO/IEC 2010 – All rights reserved 7
---------------------- Page: 15 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
e) industry requirements which specify particular information security controls or measures:
1. What sector-specific requirements apply to the organization?
f) The threat environment:
1. What kind of protection is needed, and against what threats?
2. What are the distinct categories of information that require protection?
3. What are the distinct types of information activities that need to be protected?
g) Competitive Drivers:
1. What are the minimum market requirements for information security?
2. What additional information security controls should provide a competitive advantage for the
organization?
h) Business continuity requirements
1. What are the critical business processes?
2. How long can the organization tolerate interruptions to each critical business process?
The preliminary ISMS scope can be determined by responding to the information above. This is also needed
in order to create a business case and overall ISMS project plan for management approval. The detailed
ISMS scope will be defined during the ISMS project.
The requirements noted in ISO/IEC 27001:2005 reference 4.2.1 a) outline the scope in terms of the
characteristics of the business, the organization, its location, assets and technology. The resulting information
from the above supports this determination.
Some topics which should be considered when making the initial decisions regarding scope include:
a) What are the mandates for information security management established by organizational management
and the obligations imposed externally on the organization?
b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g.
people in different subsidiaries or different departments)?
c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or
through the corporate intranet)?
d) Can the current management systems support the organization’s needs? Is it fully operational, well
maintained, and functioning as intended?
Examples of management objectives that may be used as input to define the preliminary ISMS scope include:
a) facilitating business continuity and disaster recovery
b) improving resilience to incidents
c) addressing legal/contractual compliance/liabilities
d) enabling certification against other ISO/IEC standards
e) enabling organizational evolution and position
f) reducing costs of security controls
g) protecting assets of strategic value
h) establishing a healthy and effective internal control environment
i) providing assurance to stakeholders that information assets are properly protected
8 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 16 ----------------------
SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Output
The deliverables of this activity are:
a) a document summarizing the objectives, information security priorities, and organizational requirements
for an ISMS.
b) a list of regulatory, contractual, and industry requirements related to the information security of the
organization.
c) Outlined characteristics of the business, the organization, its location, assets, and technology.
Other information
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.
5.3 Define the preliminary ISMS scope
5.3.1 Develop the preliminary ISMS scope
Activity
The objectives to implement ISMS should include the preliminary ISMS scope definition, which is necessary
for the ISMS project.
Input
Output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS.
Guidance
In order to execute the ISMS implementation project, the structure of an organization for the ISMS should be
defined. The preliminary scope of the ISMS should now be defined to provide management with guidance for
implementation decisions, and to support further activities.
The preliminary ISMS scope is needed in order to create the business case and the proposed project plan for
management approval.
The output from this stage will be a document defining the preliminary scope of the ISMS, which includes:
a) a summary of the mandates for information security management established by organizational
management, and the obligations imposed externally on the organization;
b) a description of how the area(s) in scope interact with other management systems;
c) a list of the business objectives of information security management (as derived in clause 5.2);
d) a list of critical business processes, systems, information assets, organizational structures and
geographic locations to which the ISMS will be applied.
e) the relationship of existing management systems, regulatory, compliance, and organization objectives;
f) the characteristics of the business, the organization, its location, assets and technology.
The common elements and the operational differences between the processes of any existing management
system(s) and the proposed ISMS should
...
INTERNATIONAL ISO/IEC
STANDARD 27003
First edition
2010-02-01
Information technology — Security
techniques — Information security
management system implementation
guidance
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information
Reference number
ISO/IEC 27003:2010(E)
©
ISO/IEC 2010
---------------------- Page: 1 ----------------------
ISO/IEC 27003:2010(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27003:2010(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .2
4.1 General structure of clauses.2
4.2 General structure of a clause.3
4.3 Diagrams .3
5 Obtaining management approval for initiating an ISMS project .5
5.1 Overview of obtaining management approval for initiating an ISMS project .5
5.2 Clarify the organization’s priorities to develop an ISMS.7
5.3 Define the preliminary ISMS scope .9
5.4 Create the business case and the project plan for management approval.11
6 Defining ISMS scope, boundaries and ISMS policy.12
6.1 Overview of defining ISMS scope, boundaries and ISMS policy .12
6.2 Define organizational scope and boundaries.15
6.3 Define information communication technology (ICT) scope and boundaries .16
6.4 Define physical scope and boundaries.17
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18
6.6 Develop the ISMS policy and obtain approval from management .19
7 Conducting information security requirements analysis.20
7.1 Overview of conducting information security requirements analysis.20
7.2 Define information security requirements for the ISMS process.22
7.3 Identify assets within the ISMS scope .23
7.4 Conduct an information security assessment .24
8 Conducting risk assessment and planning risk treatment.25
8.1 Overview of conducting risk assessment and planning risk treatment .25
8.2 Conduct risk assessment.27
8.3 Select the control objectives and controls.28
8.4 Obtain management authorization for implementing and operating an ISMS.29
9 Designing the ISMS.30
9.1 Overview of designing the ISMS.30
9.2 Design organizational information security .33
9.3 Design ICT and physical information security .38
9.4 Design ISMS specific information security.40
9.5 Produce the final ISMS project plan .44
Annex A (informative) Checklist description .45
Annex B (informative) Roles and responsibilities for Information Security .51
Annex C (informative) Information about Internal Auditing .55
Annex D (informative) Structure of policies .57
Annex E (informative) Monitoring and measuring.62
Bibliography.68
© ISO/IEC 2010 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27003:2010(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2010 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27003:2010(E)
Introduction
The purpose of this International Standard is to provide practical guidance in developing the implementation
plan for an Information Security Management System (ISMS) within an organization in accordance with
ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project.
The process described within this International Standard has been designed to provide support of the
implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document:
a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational
structure for the project, and gaining management approval,
b) the critical activities for the ISMS project and,
c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security
management, giving stakeholders the assurance that risks to information assets are continuously maintained
within acceptable information security bounds as defined by the organization.
This International Standard does not cover the operational activities and other ISMS activities, but covers the
concepts on how to design the activities which will result after the ISMS operations begin. The concept results
in the final ISMS project implementation plan. The actual execution of the organizational specific part of an
ISMS project is outside the scope of this International Standard.
The implementation of the ISMS project should be carried out using standard project management
methodologies (for more information please see ISO and ISO/IEC Standards addressing project
management).
© ISO/IEC 2010 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E)
Information technology — Security techniques — Information
security management system implementation guidance
1 Scope
This International Standard focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes
the process of ISMS specification and design from inception to the production of implementation plans. It
describes the process of obtaining management approval to implement an ISMS, defines a project to
implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on
how to plan the ISMS project, resulting in a final ISMS project implementation plan.
This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to
all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all
sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS
implementation. Smaller organizations will find that the activities noted in this International Standard are
applicable to them and can be simplified. Large-scale or complex organizations might find that a layered
organization or management system is needed to manage the activities in this International Standard
effectively. However, in both cases, the relevant activities can be planned by applying this International
Standard.
This International Standard gives recommendations and explanations; it does not specify any requirements.
This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and
ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in
ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this
International Standard is not appropriate.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009,
ISO/IEC 27001:2005 and the following apply.
3.1
ISMS project
structured activities undertaken by an organization to implement an ISMS
© ISO/IEC 2010 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 27003:2010(E)
4 Structure of this International Standard
4.1 General structure of clauses
The implementation of an ISMS is an important activity and is generally executed as a project in an
organization. This document explains the ISMS implementation by focusing on the initiation, planning, and
definition of the project. The process of planning the ISMS final implementation contains five phases and each
phase is represented by a separate clause. All clauses have a similar structure, as described below. The five
phases are:
a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS Scope and ISMS Policy (Clause 6)
c) Conducting Organization Analysis (Clause 7)
d) Conducting Risk Assessment and Risk Treatment planning (Clause 8)
e) Designing the ISMS (Clause 9)
Figure 1 illustrates the five phases of the planning of the ISMS project referring to ISO/IEC standards and
main output documents.
Figure 1 — ISMS project phases
Further information is noted in the annexes. These annexes are:
Annex A. Summary of activities with references according to ISO/IEC 27001:2005
Annex B. Information security roles and responsibilities
Annex C. Information on planning of internal audits
Annex D. Structure of policies
Annex E. Information on planning of monitoring and measuring
2 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27003:2010(E)
4.2 General structure of a clause
Each clause contains:
a) one or more objectives stating what is to be achieved noted in the beginning of each clause in a text box;
and
b) one or more activities necessary to achieve the phase objective or objectives.
Each activity is described in a subclause.
Activity descriptions in each subclause are structured as follows:
Activity
The activity defines what is necessary to satisfy this activity which achieves all or part of the phase objectives.
Input
The input describes the starting point, such as the existence of documented decisions or outputs from other
activities described in this International Standard. Inputs could either be referred to as the complete output
from an activity just stating the relevant clause or specific information from an activity may be added after the
clause reference.
Guidance
The guidance provides detailed information to enable performing this activity. Some of the guidance may not
be suitable in all cases and other ways of achieving the results may be more appropriate.
Output
The output describes the result(s) or deliverable(s), upon completion of the activity; e.g. a document. The
outputs are the same, independent of the size of the organization or the ISMS scope.
Other information
The other information provides any additional information that may assist in performing the activity, for
example references to other standards.
NOTE The phases and activities described in this document include a suggested sequence of performing activities
based on the dependencies identified through each of the activities’ “Input” and “Output” descriptions. However,
depending on many different factors (e.g., effectiveness of management system currently in place, understanding with
regard to the importance of information security, reasons for implementing an ISMS), an organization may select any
activity in any order as necessary to prepare for the establishment and implementation of the ISMS.
4.3 Diagrams
A project is often illustrated in graphical or diagram form showing an overview of activities and outputs.
Figure 2 illustrates the legend of diagrams which are illustrated in an overview subclause of each phase. The
diagrams provide a high level overview of the activities included in each phase.
© ISO/IEC 2010 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 27003:2010(E)
Figure 2 — Flow diagram legend
4 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27003:2010(E)
The upper square illustrates the planning phases of an ISMS project. The phase explained in the specific
clause is then emphasized with its key output documents.
The lower diagram (activities of the phase) includes the key activities which are included in the emphasized
phase of the upper square, and main output documents of each activity.
The timeline in the lower square is based on the timeline in the upper square.
Activity A and Activity B can be executed at the same time. Activity C should be started after Activity A and B
is finished.
5 Obtaining management approval for initiating an ISMS project
5.1 Overview of obtaining management approval for initiating an ISMS project
There are several factors that should be taken into consideration when deciding to implement an ISMS. In
order to address these factors, management should understand the business case of an ISMS implementation
project and approve it. Therefore the objective of this phase is:
Objective:
To obtain management approval to start the ISMS project by defining a business case and the project plan.
In order to acquire management approval, an organization should create a business case which includes the
priorities and objectives to implement an ISMS in addition to the structure of the organization for the ISMS.
The initial ISMS project plan should also be created.
The work performed in this phase will enable the organization to understand the relevance of an ISMS, and
clarify the information security roles and responsibilities within the organization needed for an ISMS project.
The expected output of this phase will be the preliminary management approval of, and commitment to
implement, an ISMS and performing the activities described in this International Standard. The deliverables
from this clause include a business case and a draft ISMS project plan with key milestones.
Figure 3 illustrates the process to obtain management approval to initiate the ISMS project.
NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one
of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of
ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in
this document.
© ISO/IEC 2010 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 27003:2010(E)
Figure 3 — Overview of obtaining management approval for initiating an ISMS project
6 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 27003:2010(E)
5.2 Clarify the organization’s priorities to develop an ISMS
Activity
The objectives to implement an ISMS should be included by considering the organization’s information
security priorities and requirements.
Input
a) the organization’s strategic objectives
b) overview of the existing management systems
c) a list of legal, regulatory, and contractual information security requirements applicable to the organization
Guidance
In order to start the ISMS project, management approval is generally needed. Therefore, the first activity that
should be performed is to collect the relevant information illustrating the value of an ISMS to the organization.
The organization should clarify why an ISMS is needed and decide the objectives of the ISMS implementation
and initiate the ISMS Project.
The objectives for implementing an ISMS can be determined by answering the following questions:
a) risk management – How will an ISMS generate better management of information security risks?
b) efficiency – How can an ISMS improve the management of information security?
c) business advantage – How can an ISMS create competitive advantage for the organization?
In order to answer the questions above, the organization’s security priorities and requirements are addressed
by the following possible factors:
a) critical businesses and organization areas:
1. What are the critical businesses and organizational areas?
2. Which organizational areas provide the business and with what focus?
3. What third party relationships and agreements exist?
4. Are there any services that have been outsourced?
b) sensitive or valuable information:
1. What information is critical to the organization?
2. What would be the likely consequences if certain information were to be disclosed to unauthorized
parties (e.g., loss of competitive advantage, damage to brand or reputation, legal action, etc.)?
c) laws which mandate information security measures:
1. What laws relating to risk treatment or information security apply to the organization?
2. Is the organization part of a public global organization that is required to have external financial
reporting?
d) contractual or organizational agreements relating to information security:
1. What are the storage requirements (including the retention periods) for data storage?
2. Are there any contractual requirements relating to privacy or quality (e.g. service level agreement-
SLA)?
© ISO/IEC 2010 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO/IEC 27003:2010(E)
e) industry requirements which specify particular information security controls or measures:
1. What sector-specific requirements apply to the organization?
f) The threat environment:
1. What kind of protection is needed, and against what threats?
2. What are the distinct categories of information that require protection?
3. What are the distinct types of information activities that need to be protected?
g) Competitive Drivers:
1. What are the minimum market requirements for information security?
2. What additional information security controls should provide a competitive advantage for the
organization?
h) Business continuity requirements
1. What are the critical business processes?
2. How long can the organization tolerate interruptions to each critical business process?
The preliminary ISMS scope can be determined by responding to the information above. This is also needed
in order to create a business case and overall ISMS project plan for management approval. The detailed
ISMS scope will be defined during the ISMS project.
The requirements noted in ISO/IEC 27001:2005 reference 4.2.1 a) outline the scope in terms of the
characteristics of the business, the organization, its location, assets and technology. The resulting information
from the above supports this determination.
Some topics which should be considered when making the initial decisions regarding scope include:
a) What are the mandates for information security management established by organizational management
and the obligations imposed externally on the organization?
b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g.
people in different subsidiaries or different departments)?
c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or
through the corporate intranet)?
d) Can the current management systems support the organization’s needs? Is it fully operational, well
maintained, and functioning as intended?
Examples of management objectives that may be used as input to define the preliminary ISMS scope include:
a) facilitating business continuity and disaster recovery
b) improving resilience to incidents
c) addressing legal/contractual compliance/liabilities
d) enabling certification against other ISO/IEC standards
e) enabling organizational evolution and position
f) reducing costs of security controls
g) protecting assets of strategic value
h) establishing a healthy and effective internal control environment
i) providing assurance to stakeholders that information assets are properly protected
8 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 27003:2010(E)
Output
The deliverables of this activity are:
a) a document summarizing the objectives, information security priorities, and organizational requirements
for an ISMS.
b) a list of regulatory, contractual, and industry requirements related to the information security of the
organization.
c) Outlined characteristics of the business, the organization, its location, assets, and technology.
Other information
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.
5.3 Define the preliminary ISMS scope
5.3.1 Develop the preliminary ISMS scope
Activity
The objectives to implement ISMS should include the preliminary ISMS scope definition, which is necessary
for the ISMS project.
Input
Output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS.
Guidance
In order to execute the ISMS implementation project, the structure of an organization for the ISMS should be
defined. The preliminary scope of the ISMS should now be defined to provide management with guidance for
implementation decisions, and to support further activities.
The preliminary ISMS scope is needed in order to create the business case and the proposed project plan for
management approval.
The output from this stage will be a document defining the preliminary scope of the ISMS, which includes:
a) a summary of the mandates for information security management established by organizational
management, and the obligations imposed externally on the organization;
b) a description of how the area(s) in scope interact with other management systems;
c) a list of the business objectives of information security management (as derived in clause 5.2);
d) a list of critical business processes, systems, information assets, organizational structures and
geographic locations to which the ISMS will be applied.
e) the relationship of existing management systems, regulatory, compliance, and organization objectives;
f) the characteristics of the business, the organization, its location, assets and technology.
The common elements and the operational differences between the processes of any existing management
system(s) and the proposed ISMS should be identified.
Output
The deliverable is a document which describes the preliminary scope of the ISMS.
© ISO/IEC 2010 – All rights reserved 9
---------------------- Page: 14 ----------------------
ISO/IEC 27003:2010(E)
Other information
No other specific information.
NOTE Special attention should be drawn that in case of certification specific documentation requirements of
ISO/IEC 27001:2005 as for the ISMS scope are to be fulfilled regardless of the management systems in place within the
organization.
5.3.2 Define roles & responsibilities for the preliminary ISMS scope
Activity
The overall roles and responsibilities for the preliminary ISMS scope should be defined.
Input
a) output from Activity 5.3.1 Develop the preliminary ISMS scope
b) list of stakeholders who will benefit from results of the ISMS project.
Guidance
In order to execute the ISMS project, the role of an organization for the project should be determined. The role
generally is different at each organization, because of the number of people dealing with information security.
The organizational structure and resources for information security vary with the size, type and structure of the
organization. For example, in a smaller organization, several roles may be carried out by the same person.
However, man
...
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema upravljanja informacijske varnostiTechnologies de l'information - Techniques de sécurité - Lignes directrices pour la mise en oeuvre du système de management de la sécurité de l'informationInformation technology - Security techniques - Information security management system implementation guidance35.040Nabori znakov in kodiranje informacijCharacter sets and information codingICS:Ta slovenski standard je istoveten z:ISO/IEC 27003:2010oSIST ISO/IEC 27003:2010en01-december-2010oSIST ISO/IEC 27003:2010SLOVENSKI
STANDARD
oSIST ISO/IEC 27003:2010
Reference numberISO/IEC 27003:2010(E)© ISO/IEC 2010
INTERNATIONAL STANDARD ISO/IEC27003First edition2010-02-01Information technology — Security techniques — Information security management system implementation guidance Technologies de l'information — Techniques de sécurité — Lignes directrices pour la mise en œuvre du système de management de la sécurité de l'information
oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
©
ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved iii Contents Page Foreword.iv Introduction.v 1 Scope.1 2 Normative references.1 3 Terms and definitions.1 4 Structure of this International Standard.2 4.1 General structure of clauses.2 4.2 General structure of a clause.3 4.3 Diagrams.3 5 Obtaining management approval for initiating an ISMS project.5 5.1 Overview of obtaining management approval for initiating an ISMS project.5 5.2 Clarify the organization’s priorities to develop an ISMS.7 5.3 Define the preliminary ISMS scope.9 5.4 Create the business case and the project plan for management approval.11 6 Defining ISMS scope, boundaries and ISMS policy.12 6.1 Overview of defining ISMS scope, boundaries and ISMS policy.12 6.2 Define organizational scope and boundaries.15 6.3 Define information communication technology (ICT) scope and boundaries.16 6.4 Define physical scope and boundaries.17 6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18 6.6 Develop the ISMS policy and obtain approval from management.19 7 Conducting information security requirements analysis.20 7.1 Overview of conducting information security requirements analysis.20 7.2 Define information security requirements for the ISMS process.22 7.3 Identify assets within the ISMS scope.23 7.4 Conduct an information security assessment.24 8 Conducting risk assessment and planning risk treatment.25 8.1 Overview of conducting risk assessment and planning risk treatment.25 8.2 Conduct risk assessment.27 8.3 Select the control objectives and controls.28 8.4 Obtain management authorization for implementing and operating an ISMS.29 9 Designing the ISMS.30 9.1 Overview of designing the ISMS.30 9.2 Design organizational information security.33 9.3 Design ICT and physical information security.38 9.4 Design ISMS specific information security.40 9.5 Produce the final ISMS project plan.44 Annex A (informative)
Checklist description.45 Annex B (informative)
Roles and responsibilities for Information Security.51 Annex C (informative)
Information about Internal Auditing.55 Annex D (informative)
Structure of policies.57 Annex E (informative)
Monitoring and measuring.62 Bibliography.68
oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) iv © ISO/IEC 2010 – All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved v Introduction The purpose of this International Standard is to provide practical guidance in developing the implementation plan for an Information Security Management System (ISMS) within an organization in accordance with ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project. The process described within this International Standard has been designed to provide support of the implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document: a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational structure for the project, and gaining management approval, b) the critical activities for the ISMS project and, c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security management, giving stakeholders the assurance that risks to information assets are continuously maintained within acceptable information security bounds as defined by the organization. This International Standard does not cover the operational activities and other ISMS activities, but covers the concepts on how to design the activities which will result after the ISMS operations begin. The concept results in the final ISMS project implementation plan. The actual execution of the organizational specific part of an ISMS project is outside the scope of this International Standard. The implementation of the ISMS project should be carried out using standard project management methodologies (for more information please see ISO and ISO/IEC Standards addressing project management).
oSIST ISO/IEC 27003:2010
oSIST ISO/IEC 27003:2010
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 1 Information technology — Security techniques — Information security management system implementation guidance 1 Scope This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan. This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS implementation. Smaller organizations will find that the activities noted in this International Standard are applicable to them and can be simplified. Large-scale or complex organizations might find that a layered organization or management system is needed to manage the activities in this International Standard effectively. However, in both cases, the relevant activities can be planned by applying this International Standard. This International Standard gives recommendations and explanations; it does not specify any requirements. This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this International Standard is not appropriate. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000:2009, Information technology — Security techniques — Information security management systems — Overview and vocabulary ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009, ISO/IEC 27001:2005 and the following apply. 3.1 ISMS project structured activities undertaken by an organization to implement an ISMS oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) 2 © ISO/IEC 2010 – All rights reserved 4 Structure of this International Standard 4.1 General structure of clauses The implementation of an ISMS is an important activity and is generally executed as a project in an organization. This document explains the ISMS implementation by focusing on the initiation, planning, and definition of the project. The process of planning the ISMS final implementation contains five phases and each phase is represented by a separate clause. All clauses have a similar structure, as described below. The five phases are: a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS Scope and ISMS Policy (Clause 6) c) Conducting Organization Analysis (Clause 7) d) Conducting Risk Assessment and Risk Treatment planning (Clause 8) e) Designing the ISMS (Clause 9) Figure 1 illustrates the five phases of the planning of the ISMS project referring to ISO/IEC standards and main output documents.
Figure 1 — ISMS project phases Further information is noted in the annexes. These annexes are: Annex A. Summary of activities with references according to ISO/IEC 27001:2005 Annex B. Information security roles and responsibilities
Annex C. Information on planning of internal audits Annex D. Structure of policies Annex E. Information on planning of monitoring and measuring oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 3 4.2 General structure of a clause Each clause contains: a) one or more objectives stating what is to be achieved noted in the beginning of each clause in a text box; and b) one or more activities necessary to achieve the phase objective or objectives. Each activity is described in a subclause. Activity descriptions in each subclause are structured as follows: Activity The activity defines what is necessary to satisfy this activity which achieves all or part of the phase objectives. Input The input describes the starting point, such as the existence of documented decisions or outputs from other activities described in this International Standard. Inputs could either be referred to as the complete output from an activity just stating the relevant clause or specific information from an activity may be added after the clause reference. Guidance The guidance provides detailed information to enable performing this activity. Some of the guidance may not be suitable in all cases and other ways of achieving the results may be more appropriate. Output The output describes the result(s) or deliverable(s), upon completion of the activity; e.g. a document. The outputs are the same, independent of the size of the organization or the ISMS scope. Other information The other information provides any additional information that may assist in performing the activity, for example references to other standards. NOTE The phases and activities described in this document include a suggested sequence of performing activities based on the dependencies identified through each of the activities’ “Input” and “Output” descriptions. However, depending on many different factors (e.g., effectiveness of management system currently in place, understanding with regard to the importance of information security, reasons for implementing an ISMS), an organization may select any activity in any order as necessary to prepare for the establishment and implementation of the ISMS.
4.3 Diagrams A project is often illustrated in graphical or diagram form showing an overview of activities and outputs.
Figure 2 illustrates the legend of diagrams which are illustrated in an overview subclause of each phase. The diagrams provide a high level overview of the activities included in each phase.
oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) 4 © ISO/IEC 2010 – All rights reserved
Figure 2 — Flow diagram legend
oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 5 The upper square illustrates the planning phases of an ISMS project. The phase explained in the specific clause is then emphasized with its key output documents. The lower diagram (activities of the phase) includes the key activities which are included in the emphasized phase of the upper square, and main output documents of each activity.
The timeline in the lower square is based on the timeline in the upper square. Activity A and Activity B can be executed at the same time. Activity C should be started after Activity A and B is finished. 5 Obtaining management approval for initiating an ISMS project
5.1 Overview of obtaining management approval for initiating an ISMS project There are several factors that should be taken into consideration when deciding to implement an ISMS. In order to address these factors, management should understand the business case of an ISMS implementation project and approve it. Therefore the objective of this phase is: Objective:
To obtain management approval to start the ISMS project by defining a business case and the project plan. In order to acquire management approval, an organization should create a business case which includes the priorities and objectives to implement an ISMS in addition to the structure of the organization for the ISMS. The initial ISMS project plan should also be created. The work performed in this phase will enable the organization to understand the relevance of an ISMS, and clarify the information security roles and responsibilities within the organization needed for an ISMS project. The expected output of this phase will be the preliminary management approval of, and commitment to implement, an ISMS and performing the activities described in this International Standard. The deliverables from this clause include a business case and a draft ISMS project plan with key milestones. Figure 3 illustrates the process to obtain management approval to initiate the ISMS project. NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in this document.
oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) 6 © ISO/IEC 2010 – All rights reserved
Figure 3 — Overview of obtaining management approval for initiating an ISMS project
oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 7 5.2 Clarify the organization’s priorities to develop an ISMS Activity The objectives to implement an ISMS should be included by considering the organization’s information security priorities and requirements. Input a) the organization’s strategic objectives b) overview of the existing management systems c) a list of legal, regulatory, and contractual information security requirements applicable to the organization Guidance In order to start the ISMS project, management approval is generally needed. Therefore, the first activity that should be performed is to collect the relevant information illustrating the value of an ISMS to the organization. The organization should clarify why an ISMS is needed and decide the objectives of the ISMS implementation and initiate the ISMS Project. The objectives for implementing an ISMS can be determined by answering the following questions: a) risk management – How will an ISMS generate better management of information security risks? b) efficiency – How can an ISMS improve the management of information security? c) business advantage – How can an ISMS create competitive advantage for the organization? In order to answer the questions above, the organization’s security priorities and requirements are addressed by the following possible factors: a) critical businesses and organization areas: 1. What are the critical businesses and organizational areas? 2. Which organizational areas provide the business and with what focus?
3. What third party relationships and agreements exist? 4. Are there any services that have been outsourced? b) sensitive or valuable information: 1. What information is critical to the organization? 2. What would be the likely consequences if certain information were to be disclosed to unauthorized parties (e.g., loss of competitive advantage, damage to brand or reputation, legal action, etc.)?
c) laws which mandate information security measures: 1. What laws relating to risk treatment or information security apply to the organization? 2. Is the organization part of a public global organization that is required to have external financial reporting? d) contractual or organizational agreements relating to information security: 1. What are the storage requirements (including the retention periods) for data storage? 2. Are there any contractual requirements relating to privacy or quality (e.g. service level agreement-SLA)? oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) 8 © ISO/IEC 2010 – All rights reserved e) industry requirements which specify particular information security controls or measures: 1. What sector-specific requirements apply to the organization? f) The threat environment: 1. What kind of protection is needed, and against what threats? 2. What are the distinct categories of information that require protection? 3. What are the distinct types of information activities that need to be protected? g) Competitive Drivers: 1. What are the minimum market requirements for information security? 2. What additional information security controls should provide a competitive advantage for the organization? h) Business continuity requirements
1. What are the critical business processes? 2. How long can the organization tolerate interruptions to each critical business process? The preliminary ISMS scope can be determined by responding to the information above. This is also needed in order to create a business case and overall ISMS project plan for management approval. The detailed ISMS scope will be defined during the ISMS project. The requirements noted in ISO/IEC 27001:2005 reference 4.2.1 a) outline the scope in terms of the characteristics of the business, the organization, its location, assets and technology. The resulting information from the above supports this determination. Some topics which should be considered when making the initial decisions regarding scope include: a) What are the mandates for information security management established by organizational management and the obligations imposed externally on the organization?
b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g. people in different subsidiaries or different departments)? c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or through the corporate intranet)? d) Can the current management systems support the organization’s needs? Is it fully operational, well maintained, and functioning as intended?
Examples of management objectives that may be used as input to define the preliminary ISMS scope include: a) facilitating business continuity and disaster recovery b) improving resilience to incidents c) addressing legal/contractual compliance/liabilities
d) enabling certification against other ISO/IEC standards e) enabling organizational evolution and position f) reducing costs of security controls g) protecting assets of strategic value h) establishing a healthy and effective internal control environment
i) providing assurance to stakeholders that information assets are properly protected oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 9 Output The deliverables of this activity are: a) a document summarizing the objectives, information security priorities, and organizational requirements for an ISMS. b) a list of regulatory, contractual, and industry requirements related to the information security of the organization. c) Outlined characteristics of the business, the organization, its location, assets, and technology. Other information ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005. 5.3 Define the preliminary ISMS scope 5.3.1 Develop the preliminary ISMS scope Activity The objectives to implement ISMS should include the preliminary ISMS scope definition, which is necessary for the ISMS project. Input Output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS. Guidance In order to execute the ISMS implementation project, the structure of an organization for the ISMS should be defined. The preliminary scope of the ISMS should now be defined to provide management with guidance for implementation decisions, and to support further activities. The preliminary ISMS scope is needed in order to create the business case and the proposed project plan for management approval. The output from this stage will be a document defining the preliminary scope of the ISMS, which includes: a) a summary of the mandates for information security management established by organizational management, and the obligations imposed externally on the organization;
b) a description of how the area(s) in scope interact with other management systems;
c) a list of the business objectives of information security management (as derived in clause 5.2);
d) a list of critical business processes, systems, information assets, organizational structures and geographic locations to which the ISMS will be applied.
e) the relationship of existing management systems, regulatory, compliance, and organization objectives;
f) the characteristics of the business, the organization, its location, assets and technology. The common elements and the operational differences between the processes of any existing management system(s) and the proposed ISMS should be identified. Output The deliverable is a document which describes the preliminary scope of the ISMS. oSIST ISO/IEC 27003:2010
ISO/IEC 27003:2010(E) 10 © ISO/IEC 2010 – All rights reserved Other information No other specific information. NOTE Special attention should be drawn that in case of certification specific documentation requirements of ISO/IEC 27001:2005 as for the ISMS scope are to be fulfilled regardless of the management systems in place within the organization. 5.3.2 Define roles & responsibilities for the preliminary ISMS scope Activity The overall roles and responsibilities for the preliminary ISMS scope should be defined. Input a) output from Activity 5.3.1 Develop the preliminary ISMS scope
b) list of stakeholders who will benefit from results of the ISMS project. Guidance In order to execute the ISMS project, the role of an organization for the project should be determined. The role generally is different at each organization, because of the number of people dealing with information security. The organizational structure and resources for information security vary with the size, type and structure of the organization. For example, in a smaller organization, several roles may be carried out by the same person. However, management should explicitly identify the role (typically Chief Information Security Officer, Information Security Manager or similar) with overall responsibility for managing
...
SLOVENSKI SIST ISO/IEC 27003
STANDARD
marec 2011
Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo
sistema upravljanja informacijske varnosti
Information technology – Security techniques – Information security management
system implementation guidance
Technologies de l'information – Techniques de sécurité – Lignes directrices pour
la mise en oeuvre du système de management de la sécurité de l'information
Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27003:2011 (sl)
Nadaljevanje na straneh 2 do 65
© 2014-03: Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27003 : 2011
NACIONALNI UVOD
Standard SIST ISO/IEC 27003 (sl), Informacijska tehnologija – Varnostne tehnike – Smernice za
izvedbo sistema upravljanja informacijske varnosti, 2011, ima status slovenskega standarda in je
istoveten mednarodnemu standardu ISO/IEC 27003 (en), Information technology – Security
techniques – Information security management system implementation guidance, 2010-02-01.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27003:2010 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27003:2011 je prevod mednarodnega standarda ISO/IEC
27003:2010. Slovenski standard SIST ISO/IEC 27003:2011 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.
Odločitev za izdajo tega standarda je dne 25. november 2010 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI
SIST ISO/IEC 27000:2011 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
SIST ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (nadomeščen s SIST ISO/IEC
27001:2013)
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27003:2010
OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27003:2011 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
2
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27003 : 2011
Vsebina Stran
Predgovor .5
Uvod .6
1 Področje uporabe .7
2 Zveza s standardi .7
3 Izrazi in definicije .7
4 Struktura tega mednarodnega standarda.7
4.1 Splošna struktura poglavij .7
4.2 Splošna struktura točke.8
4.3 Diagrami .9
5 Pridobitev odobritve vodstva za uvedbo projekta SUIV .11
5.1 Pregled pridobivanja odobritve vodstva za uvedbo projekta SUIV .11
5.2 Razjasniti prioritete organizacije pri razvoju SUIV .13
5.3 Določiti izhodiščni obseg SUIV.15
5.3.1 Pripraviti izhodiščni obseg SUIV .15
5.3.2 Določiti vloge in odgovornosti za izhodiščni obseg SUIV.15
5.4 Ustvariti poslovni razlog in načrt projekta za odobritev vodstva .16
6 Opredelitev obsega in meja SUIV ter politike SUIV .18
6.1 Pregled opredelitve obsega in meja SUIV ter politike SUIV.18
6.2 Določiti organizacijski obseg in meje.20
6.3 Določiti obseg in meje informacijsko-komunikacijske tehnologije (IKT).21
6.4 Določiti fizični obseg in meje .22
6.5 Povezati vse obsege in meje za pridobitev obsega in meja SUIV .22
6.6 Pripraviti politiko SUIV in pridobiti odobritev vodstva .23
7 Izvedba analize zahtev informacijske varnosti .24
7.1 Pregled izvedbe analize zahtev informacijske varnosti.24
7.2 Določiti zahteve informacijske varnosti za proces SUIV .26
7.3 Prepoznati dobrine v obsegu SUIV .27
7.4 Izvesti ocenjevanje informacijske varnosti .27
8 Izvedba ocenjevanja tveganj in načrtovanje obravnavanja tveganj .29
8.1 Pregled izvedbe ocenjevanja tveganj in načrtovanja obravnave tveganj.29
8.2 Izvesti ocenjevanje tveganj .31
8.3 Izbrati cilje kontrol in kontrole .32
8.4 Pridobiti pooblastilo vodstva za izvedbo in delovanje SUIV.32
9 Snovanje SUIV .33
9.1 Pregled snovanja SUIV .33
9.2 Zasnovati organizacijsko informacijsko varnost .36
9.2.1 Zasnovati končno organizacijsko strukturo za informacijsko varnost .36
9.2.2 Zasnovati okvir dokumentacije SUIV.37
9.2.3 Zasnovati politiko informacijske varnosti.38
3
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27003 : 2011
9.2.4 Pripraviti standarde in postopke informacijske varnosti .39
9.3 Zasnovati informacijsko varnost IKT in fizično informacijsko varnost .40
9.4 Zasnovati informacijsko varnost, specifično za SUIV.42
9.4.1 Načrtovati vodstvene preglede.42
9.4.2 Zasnovati program ozaveščanja, usposabljanja in izobraževanja o informacijski varnosti .43
9.5 Pripraviti končni načrt projekta SUIV.45
Dodatek A (informativni): Opis kontrolnega seznama.46
Dodatek B (informativni): Vloge in odgovornosti v zvezi z informacijsko varnostjo .50
Dodatek C (informativni): Informacije o notranjem presojanju .54
Dodatek D (informativni): Struktura politik.56
Dodatek E (informativni): Spremljanje in merjenje .60
Literatura.65
4
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27003 : 2011
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Osnutki mednarodnih standardov so pripravljeni v skladu s pravili iz 2. dela direktiv ISO/IEC.
Glavna naloga tehničnih odborov je priprava mednarodnih standardov. Osnutki mednarodnih
standardov, ki jih sprejmejo tehnični odbori, se pošljejo vsem članom v glasovanje. Za objavo
mednarodnega standarda je treba pridobiti soglasje najmanj 75 odstotkov članov, ki se udeležijo
glasovanja.
Opozoriti je treba na možnost, da so lahko nekateri elementi tega dokumenta predmet patentnih
pravic. ISO ne prevzema odgovornosti za identifikacijo nekaterih ali vseh takih patentnih pravic.
ISO/IEC 27003 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
5
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27003 : 2011
Uvod
Namen tega mednarodnega standarda je zagotoviti praktične napotke pri razvoju načrta izvedbe
upravljavskega sistema za informacijsko varnost (SUIV) v organizaciji v skladu z ISO/IEC 27001:2005.
Dejanska izvedba SUIV se v splošnem izvrši kot projekt.
Proces, opisan v tem mednarodnem standardu, je bil zasnovan, da zagotovi podporo izvajanju
ISO/IEC 27001:2005 (ustrezni deli iz točk 4, 5 in vključujoč 7), in dokumentira:
a) pripravo začetka načrta izvedbe SUIV v organizaciji, opredelitev organizacijske projektne
strukture in pridobivanje odobritve vodstva,
b) kritične aktivnosti za projekt SUIV in
c) primere za doseganje zahtev v ISO/IEC 27001:2005.
Z uporabo tega mednarodnega standarda bo organizacija sposobna razviti proces upravljanja
informacijske varnosti in dajati zainteresiranim strankam zagotovila, da so tveganja informacijskih
dobrin nenehno vzdrževana v okviru sprejemljivih meja informacijske varnosti, kot jih je opredelila
organizacija.
Ta mednarodni standard ne obravnava operativnih aktivnosti in drugih aktivnosti SUIV, zajema pa
koncepte, kako zasnovati aktivnosti, ki se bodo izvajale po začetku delovanja SUIV. Koncept se kaže
v končnem projektnem načrtu izvedbe SUIV. Dejanska izvršitev specifičnih delov projekta SUIV
organizacije je zunaj področja uporabe tega mednarodnega standarda.
Izvedba projekta SUIV naj se izvaja z uporabo standardnih metodologij projektnega vodenja (več
informacij je navedenih v standardih ISO in ISO/IEC v zvezi s projektnim vodenjem).
6
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27003 : 2011
Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo sistema
upravljanja informacijske varnosti
1 Področje uporabe
Ta mednarodni standard se osredotoča na kritične vidike, ki so potrebni za uspešno zasnovo in
izvedbo sistema upravljanja informacijske varnosti (SUIV) v skladu z ISO/IEC 27001:2005. Opisuje
proces specifikacije in zasnove SUIV od začetka do izvajanja načrtov. Opisuje proces pridobivanja
odobritve vodstva za izvedbo SUIV, definira projekt izvedbe SUIV (v tem standardu poimenovan
projekt SUIV) in ponuja napotke, kako načrtovati projekt SUIV, kar se odraža v dokončanem načrtu
izvedbe projekta SUIV.
Ta mednarodni standard naj bi uporabljale organizacije, ki uvajajo SUIV. Primeren je za vse vrste
organizacij (na primer podjetja, vladne agencije, nepridobitne organizacije) vseh velikosti.
Kompleksnost in tveganja vsake organizacije so edinstveni in njene specifične zahteve bodo vodile
izvedbo SUIV. Manjše organizacije bodo ugotovile, da so aktivnosti, navedene v tem mednarodnem
standardu, primerne zanje in da jih je mogoče poenostaviti. Velike in kompleksne organizacije bodo
lahko ugotovile, da sta za učinkovito upravljanje aktivnosti iz tega mednarodnega standarda potrebna
nivojska organiziranost ali nivojski sistem upravljanja. Vendar je v obeh primerih mogoče ustrezne
aktivnosti načrtovati z uporabo tega mednarodnega standarda.
Ta mednarodni standard podaja priporočila in pojasnila; ne določa nobenih zahtev. Ta mednarodni
standard je namenjen, da se uporablja skupaj z ISO/IEC 27001:2005 in ISO/IEC 27002:2005, ni pa
namenjen spreminjanju in/ali zmanjševanju zahtev, danih v ISO/IEC 27001:2005, ali priporočil, danih v
ISO/IEC 27002:2005. Trditve o skladnosti s tem mednarodnim standardom niso ustrezne.
2 Zveza s standardi
Naslednja dokumenta sta nujna za uporabo tega dokumenta. Pri datiranem sklicevanju velja samo
navedena izdaja. Pri nedatiranem sklicevanju velja zadnja izdaja dokumenta, na katerega se nanaša
sklic (vključno z morebitnimi dopolnitvami).
ISO/IEC 27000:2009 Informacijska tehnologija – Varnostne tehnike – Sistem upravljanja informacijske
varnosti – Pregled in izrazoslovje
ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistem upravljanja informacijske
varnosti – Zahteve
3 Izrazi in definicije
V tem dokumentu so uporabljeni izrazi in definicije, podani v nadaljevanju ter v ISO/IEC 27000:2009 in
ISO/IEC 27001:2005.
3.1
projekt SUIV
strukturirane aktivnosti, ki jih opravlja organizacija za izvajanje SUIV
4 Struktura tega mednarodnega standarda
4.1 Splošna struktura poglavij
Izvedba SUIV je pomembna aktivnost in se v splošnem izvaja kot projekt organizacije. Ta dokument
razlaga, kako izvesti SUIV z osredotočenjem na zasnovo, načrtovanje in opredelitev projekta. Proces
načrtovanja končne izvedbe SUIV vsebuje pet faz in vsaka faza je predstavljena v svoji točki. Vse
točke imajo podobno strukturo, kot je opisana spodaj. Pet faz je:
a) pridobitev odobritve vodstva za uvedbo projekta SUIV (točka 5),
b) opredelitev obsega SUIV in politike SUIV (točka 6),
7
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27003 : 2011
c) izvedba analize organizacije (točka 7),
d) izvedba ocenjevanja tveganj in načrtovanje obravnave tveganj (točka 8),
e) snovanje SUIV (točka 9).
Slika 1 prikazuje pet faz načrtovanja projekta SUIV po standardih ISO/IEC ter glavne izhodne
dokumente.
Opredelitev
Pridobitev Izvedba
Izvedba analize
odobritve vodstva za obsega in meja ocenjevanja tveganj
zahtev informacijske
Snovanje SUIV
uvedbo projekta SUIV SUIV ter politike in načrtovanje
varnosti
SUIV obravnavanja
7
9
5 6 tveganj 8
Odobritev Pisna
Zahteve Končni načrt
Obseg in
vodstva za zabeležka o
projekta izvedbe
informacijske
meje SUIV
uvedbo odobritvi vodstva
SUIV
varnosti
projekta SUIV za izvedbo SUIV
Načrt
Informacijske
Politika SUIV
obravnavanja
dobrine
tveganj
Rezultati IOP,
ocenjevanja
vključno s cilji kontrol
informacijske
in izbranimi
varnosti kontrolami
Čas
Slika 1: Faze projekta SUIV
Več informacij je navedenih v dodatkih. Ti dodatki so:
Dodatek A: Povzetek aktivnosti s sklici na ISO/IEC 27001:2005
Dodatek B: Vloge in odgovornosti v informacijski varnosti
Dodatek C: Informacije o načrtovanju notranjih presoj
Dodatek D: Struktura politik
Dodatek E: Informacije o načrtovanju spremljanja in merjenja
4.2 Splošna struktura točke
Vsaka točka vsebuje:
a) enega ali več ciljev, navedenih v okvirjenem besedilu na začetku vsake točke, ki navajajo, kaj naj
se doseže,
in
b) eno ali več aktivnosti, potrebnih za doseganje cilja ali ciljev te faze.
Vsaka aktivnost je opisana v podtočki.
Opisi aktivnosti v vsaki podtočki so strukturirani na naslednji način:
Aktivnost
Aktivnost določa, kaj je potrebno, da se zadovolji ta aktivnost in dosežejo vsi ali nekaj ciljev te faze.
8
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27003 : 2011
Vhod
Vhod opiše začetno točko, kot je obstoj dokumentiranih odločitev ali izhodov iz drugih aktivnosti,
opisanih v tem mednarodnem standardu. Vhodi so lahko ali sklici na celovit izhod neke aktivnosti z
navedbo ustrezne točke ali pa specifična informacija iz aktivnosti, dodana po sklicu na točko.
Napotki
Napotki dajejo podrobne informacije za omogočitev opravljanja te aktivnosti. Nekateri napotki morda
niso ustrezni v vseh primerih in so lahko primernejši drugi načini doseganja rezultatov.
Izhod
Izhod opisuje rezultat(-e) ali izdelek(-ke) po končanju aktivnosti, na primer dokument. Izhodi so enaki
ne glede na velikost organizacije ali obseg SUIV.
Druge informacije
Druge informacije dajejo morebitne dodatne informacije, ki lahko pomagajo pri opravljanju aktivnosti,
na primer sklici na druge standarde.
OPOMBA: Faze in aktivnosti, opisane v tem dokumentu, vključujejo predlagano zaporedje opravljanja aktivnosti, ki
temeljijo na odvisnostih, ugotovljenih na podlagi opisov vhodov in izhodov vsake aktivnosti. Vendar lahko
organizacija v odvisnosti od mnogih različnih dejavnikov (na primer uspešnosti sistema upravljanja, ki je
trenutno v uporabi, razumevanja glede pomembnosti informacijske varnosti, razlogov za izvedbo SUIV) izbere
katero koli aktivnost v katerem koli vrstnem redu, kot je to potrebno za vzpostavitev in izvedbo SUIV.
4.3 Diagrami
Projekt je pogosto prikazan v grafični obliki ali z diagramom, tako da je prikazan pregled aktivnosti in
izhodov.
Slika 2 prikazuje legendo diagramov, ki so prikazani v podtočki pregleda vsake faze. Diagrami nudijo
splošen pregled aktivnosti, vključenih v vsaki fazi.
9
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27003 : 2011
Faza načrtovanja projekta SUIV
Faza
Faza
Faza
Obseg in meje
SUIV
Politika SUIV
x
y
z
Dokument
Dokument
Čas
Aktivnosti v vsaki fazi
Aktivnost
A
•• •
Dokument
•
•
•
Dokument
Aktivnost Aktivnost
B C
•• • •• •
Dokument Dokument
• •
• •
• •
Dokument Dokument
Čas
Slika 2: Legenda diagrama pretoka
10
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27003 : 2011
Zgornji kvadratek prikazuje faze načrtovanja projekta SUIV. Faza, pojasnjena v posamezni točki, je
nato poudarjena z njenimi glavnimi izhodnimi dokumenti.
Spodnji diagram (aktivnosti te faze) vključuje glavne aktivnosti, ki so vključene v poudarjeno fazo
zgornjega kvadratka, in glavne izhodne dokumente vsake aktivnosti.
Potek časa v spodnjem kvadratku temelji na poteku časa v zgornjem kvadratku.
Aktivnost A in aktivnost B sta lahko izvršeni hkrati. Aktivnost C naj se začne po koncu aktivnosti A in B.
5 Pridobitev odobritve vodstva za uvedbo projekta SUIV
5.1 Pregled pridobivanja odobritve vodstva za uvedbo projekta SUIV
Ko se odloča o izvedbi SUIV, naj se upoštevajo številni dejavniki. Za upoštevanje teh dejavnikov naj
vodstvo razume poslovni razlog izvedbe projekta SUIV in naj ga odobri. Tako je cilj te faze:
Cilj:
Pridobiti odobritev vodstva za začetek projekta SUIV z opredelitvijo poslovnega razloga in načrta
projekta.
Da organizacija pridobi odobritev vodstva, naj pripravi poslovni razlog, ki vključuje prednostne naloge
in cilje za izvedbo SUIV kot dodatek k strukturi organiziranosti SUIV. Pripravi naj tudi začetni načrt
projekta SUIV.
Delo, opravljeno v tej fazi, bo omogočilo organizaciji razumeti pomembnost SUIV ter razjasnilo vloge
in odgovornosti informacijske varnosti v organizaciji, potrebne za projekt SUIV.
Pričakovani izhod iz te faze bosta predhodna odobritev vodstva ter njegova zavezanost k izvedbi
SUIV in opravljanju aktivnosti, opisanih v tem mednarodnem standardu. Izdelki te točke vključujejo
poslovni razlog in osnutek načrta projekta SUIV z glavnimi mejniki.
Slika 3 prikazuje proces pridobivanja odobritve vodstva za uvedbo projekta SUIV.
OPOMBA: Izhod točke 5 (dokumentirana zavezanost vodstva k načrtovanju in izvedbi SUIV) in eden od izhodov točke 7
(povzemanje dokumentov s statusom informacijske varnosti) nista zahtevi ISO/IEC 27001:2005. Vendar sta ta
dva izhoda priporočena vhoda za druge aktivnosti, opisane v tem dokumentu.
11
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27003 : 2011
Pridobitev Izvedba
Opredelitev
Izvedba analize
odobritve vodstva obsega in meja ocenjevanja tveganj
zahtev informacijske
za uvedbo projekta in načrtovanje Snovanje SUIV
SUIV ter politike
varnosti
SUIV obravnavanja
SUIV
7
9
5 6 tveganj 8
Odobritev
vodstva za
uvedbo projekta
SUIV
Čas
Razjasniti
prioritete
organizacije pri
razvoju SUIV
5.2
Povzetek
ciljev SUIV
Seznam
omejitev iz
predpisov in pogodb ter
industrijsko-panožnih
omejitev, ki vplivajo na
informacijsko
varnost organizacije
Podane
poslovne
značilnosti Določiti vloge in
Določiti Pripraviti
odgovornosti za
izhodiščni
izhodiščni
izhodiščni obseg
obseg SUIV obseg SUIV
SUIV
5.3.1
5.3 5.3.2
Ustvariti
Podane
Opis vlog in
poslovni razlog in
poslovne odgovornosti za
načrt projekta za
značilnosti
izvedbo SUIV
odobritev vodstva
5.4
Poslovni
razlog
Predlog
projekta
SUIV
Odobritev
projekta
SUIV
Čas
Slika 3: Pregled pridobivanja odobritve vodstva za začetek projekta SUIV
12
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27003 : 2011
5.2 Razjasniti prioritete organizacije pri razvoju SUIV
Aktivnost
Na podlagi določitve prioritet in zahtev informacijske varnosti organizacije naj se vključijo cilji izvedbe
SUIV.
Vhod
a) Strateški cilji organizacije,
b) pregled obstoječih sistemov upravljanja,
c) seznam zakonodajnih, regulatornih in pogodbenih zahtev informacijske varnosti, ki veljajo za
organizacijo.
Napotki
Za začetek projekta SUIV je v splošnem potrebna odobritev vodstva. Zato je prva aktivnost, ki naj se
opravi, zbiranje ustreznih informacij, ki prikazujejo pomen SUIV za organizacijo. Organizacija naj
razjasni, zakaj potrebuje SUIV, določi cilje izvedbe SUIV in zasnuje projekt SUIV.
Cilje izvedbe SUIV je mogoče določiti z odgovori na naslednja vprašanja:
a) upravljanje tveganj – kako bo SUIV izboljšal upravljanje informacijskih varnostnih tveganj,
b) učinkovitost – kako je mogoče s SUIV izboljšati upravljanje informacijske varnosti,
c) poslovne prednosti – kako je s SUIV mogoče ustvariti konkurenčno prednost za organizacijo.
Da organizacija odgovori na gornja vprašanja, upošteva pri prioritetah in varnostnih zahtevah
naslednje možne dejavnike:
a) kritična poslovna in organizacijska področja:
1. Katera poslovna in organizacijska področja so kritična?
2. Katera organizacijska področja ustvarjajo posel in na kaj so osredotočena?
3. Kateri odnosi in sporazumi s tretjimi strankami obstajajo?
4. Ali obstajajo storitve v zunanjem izvajanju?
b) občutljive in dragocene informacije:
1. Katere informacije so kritične za organizacijo?
2. Kakšne bi bile verjetne posledice, če bi se določene informacije razkrile nepooblaščenim
osebam (na primer izguba konkurenčne prednosti, škoda za blagovne znamke in ugled,
pravni postopki itd.)?
c) zakoni, ki določajo ukrepe na področju informacijske varnosti:
1. Kateri zakoni, ki se nanašajo na obravnavo tveganj ali informacijsko varnost, veljajo za
organizacijo?
2. Ali je organizacija del javne globalne organizacije, za katero veljajo zahteve za zunanje
finančno poročanje?
d) pogodbeni ali organizacijski sporazumi v zvezi z informacijsko varnostjo:
1. Kakšne so zahteve za hrambo podatkov (vključujoč roke hrambe)?
2. Ali obstajajo pogodbene zahteve, ki se nanašajo na zasebnost ali kakovost (na primer
sporazumi o ravni storitev – SLA)?
e) industrijsko-panožne zahteve, ki določajo posebne kontrole in ukrepe za informacijsko varnost:
1. Katere specifične panožne zahteve veljajo za organizacijo?
13
---------------------- Page: 13 ----------------------
SIST ISO/IEC 27003 : 2011
f) okolje groženj:
1. Kakšna zaščita je potrebna in proti katerim grožnjam?
2. Katere različne kategorije informacij zahtevajo zaščito?
3. Katere različne informacijske aktivnosti morajo biti zaščitene?
g) konkurenčne gonilne sile:
1. Katere so na trgu minimalne zahteve informacijske varnosti?
2. Katere dodatne kontrole informacijske varnosti naj bi omogočale konkurenčno prednost za
organizacijo?
h) zahteve za neprekinjeno poslovanje:
1. Kateri poslovni procesi so kritični?
2. Kako dolgo lahko organizacija prenaša prekinitve posameznih kritičnih poslovnih procesov?
Na podlagi odgovorov na gornje informacije je mogoče določiti izhodiščni obseg SUIV. Ta je potreben
tudi za postavitev poslovnega razloga in celovitega načrta projekta SUIV za pridobitev odobritve
vodstva. Podroben obseg SUIV bo določen med izvajanjem projekta SUIV.
Zahteve, navedene v ISO/IEC 27001:2005, točka 4.2.1.a), postavljajo obseg glede na značilnosti
poslovanja, organizacije, njene lokacije, dobrin in tehnologije. Iz tega izhajajoče informacije podpirajo
to določitev.
Pri postavljanju začetnih odločitev o obsegu naj se razmisli o temah, med katerimi so:
a) Katere naloge vodstvo organizacije postavlja vodstvu informacijske varnosti in katere so zunanje
obveznosti organizacije?
b) Ali je odgovornost za predlagane sisteme v obsegu naložena več kot eni vodstveni ekipi (na
primer ljudem v različnih hčerinskih družbah ali oddelkih)?
c) Kako se bodo dokumenti v zvezi s SUIV razširjali po organizaciji (na primer na papirju ali z
intranetom organizacije)?
d) Ali lahko sedanji sistemi upravljanja podpirajo potrebe organizacije? Ali so v celoti operativni,
dobro vzdrževani in delujejo, kot je bilo zamišljeno?
Primeri ciljev vodstva, ki so lahko uporabljeni kot vhod za določitev izhodiščnega obsega SUIV,
vključujejo:
a) spodbujanje neprekinjenega poslovanja in okrevanja po katastrofi,
b) izboljševanje odpornosti proti incidentom,
c) obravnavanje zakonskih/pogodbenih zahtev/obveznosti,
d) omogočanje certificiranja po standardih ISO/IEC,
e) omogočanje razvoja in položaja organizacije,
f) zmanjševanje cene varnostnih kontrol,
g) zaščito dobrin s strateško vrednostjo,
h) ustanovitev zdravega in uspešnega okolja notranjih kontrol,
i) zagotavljanje zainteresiranim strankam, da so informacijske dobrine ustrezno zaščitene.
Izhod
Izdelki te aktivnosti so:
a) dokument, ki povzema cilje, prioritete informacijske varnosti in organizacijske zahteve za SUIV,
14
---------------------- Page: 14 ----------------------
SIST ISO/IEC 27003 : 2011
b) seznam zakonodajnih, pogodbenih in industrijsko-panožnih zahtev v zvezi z informacijsko
varnostjo organizacije,
c) podane značilnosti poslovanja, organizacije, njene lokacije, dobrin in tehnologije.
Druge informacije
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.
5.3 Določiti izhodiščni obseg SUIV
5.3.1 Pripraviti izhodiščni obseg SUIV
Aktivnost
Cilji izvedbe SUIV naj vključujejo določitev izhodiščnega obsega SUIV, ki je potreben za projekt SUIV.
Vhod
Izhod iz aktivnosti 5.2 Razjasniti prioritete organizacije pri razvoju SUIV
Napotki
Da bi projekt izvedbe SUIV potekal, naj se določi struktura organizacije SUIV. Sedaj naj se določi
izhodiščni obseg SUIV, da se vodstvu zagotovijo napotki za izvedbene odločitve in da se podprejo
aktivnosti, ki sledijo.
Izhodiščni obseg SUIV je potreben za ustvarjanje poslovnega razloga in predloga načrta projekta za
odobritev vodstva.
Izhod tega koraka bo dokument, ki določa izhodiščni obseg SUIV in vključuje:
a) povzetek nalog, ki jih vodstvo organizacije podaja vodstvu informacijske varnosti, zunanjih
obveznosti organizacije,
b) opis, kako področje(-a) v obsegu sodeluje(-jo) z drugimi sistemi upravljanja,
c) seznam poslovnih ciljev vodstva informacijske varnosti (ko
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.